FortiAP system files overwrite via the tcpdump CLI command

Summary

An improper input validation (CWE-20) vulnerability in FortiAP CLI admin console may allow unauthorized administrators to overwrite system files via specially crafted tcpdump commands in the CLI.

Affected Products

FortiAP-S/W2 6.2.0 to 6.2.2, 6.0.5 and below
FortiAP-U 6.0.1 and below
FortiAP is not impacted
FortiAP-C is not impacted

Solutions

Upgrade to FortiAP-S/W2 6.0.6 or 6.2.3 and above Upgrade to FortiAP-U 6.0.2 or above Revision History: 02-10-2020 Initial version 05-25-2020 Added FAP, FAP-U and FAP-C impact info.

Acknowledgement

Fortinet is pleased to thank “NYC Cyber Command” for reporting this vulnerability under responsible disclosure.