PSIRT Advisory
FortiAP system files overwrite via the tcpdump CLI command
Summary
An improper input validation (CWE-20) vulnerability in FortiAP CLI admin console may allow unauthorized administrators to overwrite system files via specially crafted tcpdump commands in the CLI.
Impact
Improper Input Validation
Affected Products
FortiAP-S/W2 6.2.0 to 6.2.2, 6.0.5 and below
FortiAP-U 6.0.1 and below
FortiAP is not impacted
FortiAP-C is not impacted
Solutions
Upgrade to FortiAP-S/W2 6.0.6 or 6.2.3 and above
Upgrade to FortiAP-U 6.0.2 or above
Revision History:
02-10-2020 Initial version
05-25-2020 Added FAP, FAP-U and FAP-C impact info.
Acknowledgement
Fortinet is pleased to thank “NYC Cyber Command” for reporting this vulnerability under responsible disclosure.