PSIRT Advisory

FortiAP system command injection through ifconfig command

Summary

A system command injection vulnerability in the FortiAP CLI admin console may allow unauthorized administrators to run arbitrary system level commands via specially crafted ifconfig commands.

Impact

system command injection

Affected Products

FortiAP-S/W2 6.2.1, 6.2.0, 6.0.5 and below

FortiAP 6.0.5 and below

FortiAP-U all versions below 6.0.0

Solutions

Upgrade to FortiAP-S/W2 6.0.6 or 6.2.2

Upgrade to FortiAP 6.0.6

Upgrade to FortiAP-U 6.0.0

Acknowledgement

Fortinet is pleased to thank "NYC Cyber Command" for reporting this vulnerability under responsible disclosure.