FortiOS - Format String in CLI command


A use of externally-controlled format string vulnerability [CWE-134] in FortiOS command line interface may allow a local privileged attacker with CLI access to execute arbitrary code or commands via specially crafted requests.

Version Affected Solution
FortiOS 7.4 7.4.0 through 7.4.1 Upgrade to 7.4.2 or above
FortiOS 7.2 7.2.0 through 7.2.7 Upgrade to 7.2.8 or above
FortiOS 7.0 7.0 all versions Migrate to a fixed release
FortiOS 6.4 6.4 all versions Migrate to a fixed release
Follow the recommended upgrade path using our tool at:


Fortinet is pleased to thank Michael Messner and Benedikt Kühne from Siemens Energy for bringing this issue to our attention under responsible disclosure.


2024-04-09: Initial publication
2024-05-15: Description update