FortiOS / FortiProxy / FortiPAM / FortiSwitchManager - Format string vulnerability in CLI commands

Summary

A use of externally-controlled format string vulnerability [CWE-134] in FortiOS, FortiProxy, FortiPAM & FortiSwitchManager CLI may allow a privileged attacker to execute arbitrary code or commands via specially crafted requests.

Affected Products

FortiSwitchManager version 7.2.0 through 7.2.2
FortiSwitchManager version 7.0.0 through 7.0.2
FortiProxy 7.6 all versions are not affected
FortiProxy version 7.4.0
FortiProxy version 7.2.0 through 7.2.6
FortiProxy version 7.0.0 through 7.0.14
FortiProxy 2.0 all versions
FortiProxy 1.2 all versions
FortiPAM 1.5 all versions are not affected
FortiPAM 1.4 all versions are not affected
FortiPAM 1.3 all versions are not affected
FortiPAM 1.2 all versions are not affected
FortiPAM version 1.1.0 through 1.1.2
FortiPAM 1.0 all versions
FortiOS 7.6 all versions are not affected
FortiOS version 7.4.0
FortiOS version 7.2.0 through 7.2.6
FortiOS version 7.0.0 through 7.0.13
FortiOS 6.4 all versions
FortiOS 6.2 all versions

Solutions

Please upgrade to FortiOS version 7.4.2 or above
Please upgrade to FortiOS version 7.2.7 or above
Please upgrade to FortiOS version 7.0.14 or above
Please upgrade to FortiPAM version 1.2.0 or above
Please upgrade to FortiSwitchManager version 7.2.3 or above
Please upgrade to FortiSwitchManager version 7.0.3 or above
Please upgrade to FortiProxy version 7.4.1 or above
Please upgrade to FortiProxy version 7.2.8 or above
Please upgrade to FortiProxy version 7.0.15 or above

Acknowledgement

Fortinet is pleased to thank Ryan Quasney from BishopFox for bringing this issue to our attention under responsible disclosure.

Timeline

2025-02-11: Initial publication
2025-02-12: Clarify fixed version for 7.0 branches