PSIRT Advisory

FortiAP system command injection through ifconfig command


A system command injection vulnerability in the FortiAP CLI admin console may allow unauthorized administrators to run arbitrary system level commands via specially crafted ifconfig commands.


system command injection

Affected Products

FortiAP-S/W2 6.2.1, 6.2.0, 6.0.5 and below

FortiAP 6.0.5 and below

FortiAP-U all versions below 6.0.0


Upgrade to FortiAP-S/W2 6.0.6 or 6.2.2

Upgrade to FortiAP 6.0.6

Upgrade to FortiAP-U 6.0.0


Fortinet is pleased to thank "NYC Cyber Command" for reporting this vulnerability under responsible disclosure.