FortiWeb, Fortinet‘s Web Application Firewall, is designed to protect business-critical web applications from attacks that target known and unknown vulnerabilities. Rapid7 researcher William Vu has discovered an OS command injection vulnerability in the management interface for FortiWeb. To fix the OS command-injection bug in FortiWeb, Fortinet will release a patch this week.
Execute unauthorized code
A remote, authenticated attacker can execute arbitrary commands on the system via the SAML server configuration page through this vulnerability in FortiWeb’s management interface (version 6.3.11 and prior).
This bug has a CVSSv3 base score of 7.3, according to FortiGuard Labs. It is related to CVE-2021-22123, which was addressed in FG-IR-21-116. It allows an attacker to take complete control of the affected device.
Fortinet recommends its users upgrade to upcoming FortiWeb 6.3.15 or above, FortiWeb 6.4.1 or above, and FortiWeb 6.2.5 or above. FortiWeb’s users also should disable access to the management interface from untrusted networks, and use the Trusted Hosts feature to restrict access to trusted IP addresses for the admin users.