virus logo PSIRT

OS command injection in CLI command

Summary

Multiple improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerabilities [CWE-78] in FortiManager CLI may allow a privileged attacker to execute unauthorized code or commands via crafted CLI requests.

Version Affected Solution
FortiAnalyzer 7.6 Not affected Not Applicable
FortiAnalyzer 7.4 7.4.0 through 7.4.3 Upgrade to 7.4.4 or above
FortiAnalyzer 7.2 7.2.0 through 7.2.5 Upgrade to 7.2.6 or above
FortiAnalyzer 7.0 7.0 all versions Migrate to a fixed release
FortiAnalyzer 6.4 6.4 all versions Migrate to a fixed release
FortiAnalyzer 6.2 6.2 all versions Migrate to a fixed release
FortiAnalyzer-BigData 7.4 7.4.0 through 7.4.1 Upgrade to 7.4.2 or above
FortiAnalyzer-BigData 7.2 7.2.0 through 7.2.7 Upgrade to 7.2.8 or above
FortiAnalyzer-BigData 7.0 7.0 all versions Migrate to a fixed release
FortiAnalyzer-BigData 6.4 6.4 all versions Migrate to a fixed release
FortiManager 7.6 Not affected Not Applicable
FortiManager 7.4 7.4.0 through 7.4.3 Upgrade to 7.4.4 or above
FortiManager 7.2 7.2.0 through 7.2.5 Upgrade to 7.2.6 or above
FortiManager 7.0 7.0 all versions Migrate to a fixed release
FortiManager 6.4 6.4 all versions Migrate to a fixed release
FortiManager 6.2 6.2 all versions Migrate to a fixed release
FortiManager 6.0 6.0 all versions Migrate to a fixed release
FortiManager 5.6 5.6 all versions Migrate to a fixed release
FortiManager 5.4 5.4 all versions Migrate to a fixed release
FortiManager 5.2 5.2 all versions Migrate to a fixed release
FortiManager 5.0 5.0 all versions Migrate to a fixed release
FortiManager 4.3 4.3.4 through 4.3.8 Migrate to a fixed release

Acknowledgement

Internally discovered and reported by Adham El karn of Fortinet Product Security team.

Timeline

2025-03-11: Initial publication
IR Number FG-IR-24-124
Published Date Mar 11, 2025
Component CLI
Severity Medium
CVSSv3 Score 6.5
Impact Execute unauthorized code or commands
CVE ID
Download

CVRF

CSAF