PSIRT Advisory

FortiExtender OS command injection through execute date CLI command

Summary

An OS command injection vulnerability in FortiExtender CLI admin console may allow unauthorized administrators to run arbitrary system level commands via specially crafted "execute date" commands.

Impact

OS command injection

Affected Products

FortiExtender 4.1.0 to 4.1.1, 4.0.0 and below

Solutions

Upgrade to FortiExtender 4.0.1 or 4.1.2


Revision History:
2019-10-28 Initial version
2019-11-01 Add 4.0 branch fix information.

Acknowledgement

Fortinet is pleased to thank "NYC Cyber Command" for reporting this vulnerability under responsible disclosure.