PSIRT Advisory

FortiWLC file management OS Command Injection vulnerability

Summary

The FortiWLC file management AP script download webUI page is affected by an OS Command Injection vulnerability which may allow an authenticated admin user to execute arbitrary system console commands, and possibly subsequently "root" the device.

Impact

OS Command Injection

Affected Products

FortiWLC 6.1-2 -> 6.1-5

FortiWLC 7.0-7 -> 7.0-10

FortiWLC 8.0 -> 8.2

FortiWLC 8.3.0 -> 8.3.2

Solutions

For FortiWLC 7.x branch, upgrade to 7.0.11 or newer versions.

For FortiWLC 8.x branch, upgrade to 8.3.3 or newer versions.

Acknowledgement

Fortinet is pleased to thank Tom Scholten, SOLIDBE B.V. for reporting this vulnerability under responsible disclosure.