CVE-2023-34992

CRITICAL

FortiSIEM 6.6.0-6.6.2 - OS Command Injection via Crafted API Requests

Title source: llm

Exploitation Summary

EIP tracks 3 public exploits for CVE-2023-34992. PoCs published by horizon3ai, dyeat, d0rb.

AI-analyzed exploit summary This is a working proof-of-concept exploit for CVE-2023-34992, a command injection vulnerability in Fortinet FortiSIEM. It leverages unauthenticated command injection via a crafted XML payload sent to the Phoenix Monitor service on port 7900.

Description

A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet allows attacker to execute unauthorized code or commands via crafted API requests.

Exploits (3)

nomisec WORKING POC 27 stars

by horizon3ai · poc

https://github.com/horizon3ai/CVE-2023-34992

View Code ZIP pw:eip

This is a working proof-of-concept exploit for CVE-2023-34992, a command injection vulnerability in Fortinet FortiSIEM. It leverages unauthenticated command injection via a crafted XML payload sent to the Phoenix Monitor service on port 7900.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Fortinet FortiSIEM

No auth needed

Prerequisites: Network access to the target's Phoenix Monitor service (port 7900)

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

github WORKING POC

by dyeat · pythonpoc

https://github.com/dyeat/cve-reproduction/tree/main/Fortinet/FortiManager/CVE-2023-34992

View Code ZIP pw:eip

The repository contains a functional Python exploit for CVE-2023-34992, which leverages unauthenticated command injection in Fortinet FortiSIEM via a crafted XML payload sent to the Phoenix Monitor service. The exploit constructs a malicious XML payload with command injection in the server_ip field and sends it over SSL to trigger remote code execution as root.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Fortinet FortiSIEM

No auth needed

Prerequisites: Network access to the target's Phoenix Monitor service (default port 7900) · SSL/TLS connectivity to the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed May 22, 2026 Full analysis →

nomisec WORKING POC

by d0rb · poc

https://github.com/d0rb/CVE-2023-34992-Checker

View Code ZIP pw:eip

This PoC exploits CVE-2023-34992 by sending a crafted XML payload with command injection in the server_ip field to a Phoenix Monitor service. It checks for vulnerability by sending a command and analyzing the response.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Phoenix Monitor (version not specified)

No auth needed

Prerequisites: Network access to the target service on port 7900 · SSL/TLS enabled on the target service

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Vendor Advisory

https://fortiguard.com/psirt/FG-IR-23-130

Scores

CVSS v3 10.0

EPSS 0.7588

EPSS Percentile 98.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-78

Status published

Products (7)

fortinet/fortisiem 6.4.0

fortinet/fortisiem 6.4.1

fortinet/fortisiem 6.4.2

fortinet/fortisiem 6.5.0

fortinet/fortisiem 6.5.1

fortinet/fortisiem 7.0.0

fortinet/fortisiem 6.6.0 - 6.6.3

Published Oct 10, 2023

Tracked Since Feb 18, 2026