August 19, 2021

A zero-day command injection vulnerability has been found in Fortinet FortiWeb Web Application Firewall (WAF). 

The Vulnerability

OS command injection vulnerability in FortiWeb’s management interface can allow a remote, authenticated attacker to execute arbitrary commands on the system, via the SAML server configuration page. 

An attacker can leverage this vulnerability to take complete control of the affected device, with the highest possible privileges. 

Note that while authentication is a prerequisite for this exploit, this vulnerability could be combined with another authentication bypass issue, such as CVE-2020-29015. 

Affected Versions

Version 6.3.11 and prior 

Mitigation 

Fortinet will publish a patch for this vulnerability at the end of August. 

Workaround

Until a patch is available, admins are advised to block access to the FortiWeb device’s management interface from untrusted networks (i.e., the Internet). 

References: Rapid7