PSIRT Advisory

FortiExtender OS command injection through execute date CLI command


An OS command injection vulnerability in FortiExtender CLI admin console may allow unauthorized administrators to run arbitrary system level commands via specially crafted "execute date" commands.


OS command injection

Affected Products

FortiExtender 4.1.0 to 4.1.1, 4.0.0 and below


Upgrade to FortiExtender 4.0.1 or 4.1.2

Revision History:
2019-10-28 Initial version
2019-11-01 Add 4.0 branch fix information.


Fortinet is pleased to thank "NYC Cyber Command" for reporting this vulnerability under responsible disclosure.