OS Command Injection in FortiADC

#VU80870 OS Command Injection in FortiADC

Published: 2023-09-18

Vulnerability identifier: #VU80870

Vulnerability risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-35849

CWE-ID: CWE-78

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
FortiADC
Server applications / Other server solutions

Vendor: Fortinet, Inc

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to improper input validation in Automation/Webhook module. A local user can pass specially crafted arguments to existing commands and execute arbitrary commands on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

FortiADC: 6.2.0 - 6.2.5, 7.1.0 - 7.1.1, 7.0.0 - 7.0.3, 6.1.0 - 6.1.6

CPE

cpe:2.3:a:fortinet:fortiadc:6.2.5:*:*:*:*:*:*:*

External links
http://fortiguard.com/psirt/FG-IR-22-310

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

Latest bulletins with this vulnerability

Privilege escalation in FortiADC