August 19, 2021
A zero-day command injection vulnerability has been found in Fortinet FortiWeb Web Application Firewall (WAF).
OS command injection vulnerability in FortiWeb’s management interface can allow a remote, authenticated attacker to execute arbitrary commands on the system, via the SAML server configuration page.
An attacker can leverage this vulnerability to take complete control of the affected device, with the highest possible privileges.
Note that while authentication is a prerequisite for this exploit, this vulnerability could be combined with another authentication bypass issue, such as CVE-2020-29015.
Version 6.3.11 and prior
Fortinet will publish a patch for this vulnerability at the end of August.
Until a patch is available, admins are advised to block access to the FortiWeb device’s management interface from untrusted networks (i.e., the Internet).