CVE-2023-41679 is an improper access control vulnerability identified in Fortinet's FortiManager management interface across multiple versions (6.0 all versions, 6.2 all versions, 6.4.0 through 6.4.11, 7.0.0 through 7.0.7, and 7.2.0 through 7.2.2). FortiManager is a centralized management platform used to administer Fortinet security devices. The vulnerability arises because an authenticated attacker with at least "device management" permissions within one Administrative Domain (ADOM) can manipulate CLI scripts in other ADOMs, which they should not have access to. ADOMs are logical partitions within FortiManager that separate administrative control for different sets of devices or organizational units. By adding or deleting CLI scripts in unauthorized ADOMs, the attacker can execute arbitrary commands or code on devices managed under those ADOMs, potentially leading to full compromise of those devices. The CVSS 3.1 base score is 7.7, reflecting high impact on confidentiality, integrity, and availability, with the attack vector being network-based and requiring low privileges but no user interaction. The scope is changed because the attacker’s permissions in one ADOM extend improperly to others. Although no exploits are publicly known yet, the vulnerability poses a significant risk due to the critical role FortiManager plays in network security management.

For European organizations, this vulnerability could lead to unauthorized control over multiple network security devices managed via FortiManager, undermining the security posture of entire networks. Attackers exploiting this flaw can execute arbitrary commands, potentially disabling security controls, exfiltrating sensitive data, or disrupting network availability. This is particularly critical for sectors such as finance, energy, telecommunications, and government agencies that rely heavily on Fortinet products for network defense. The ability to cross ADOM boundaries means that attackers can escalate privileges beyond their assigned administrative scope, increasing the risk of widespread compromise within large organizations or managed service providers. The impact extends to confidentiality breaches, integrity violations through unauthorized configuration changes, and availability disruptions by disabling or misconfiguring security devices. Given the centralized nature of FortiManager, a successful attack could have cascading effects across multiple sites or business units.

1. Apply official Fortinet patches or updates as soon as they become available for all affected FortiManager versions. 2. Until patches are applied, restrict device management permissions strictly to trusted administrators and minimize the number of users with such privileges. 3. Implement network segmentation and access controls to limit FortiManager management interface exposure to trusted networks only. 4. Monitor ADOM activities and audit logs for unusual CLI script additions or deletions, especially across ADOM boundaries. 5. Employ multi-factor authentication (MFA) for all FortiManager accounts to reduce risk of credential compromise. 6. Review and harden FortiManager configurations to enforce least privilege principles and isolate ADOMs effectively. 7. Conduct regular security assessments and penetration tests focused on FortiManager to detect potential exploitation attempts early. 8. Educate administrators about the risks of cross-ADOM access and enforce strict operational procedures for managing CLI scripts.