PSIRT Advisories

FortiWeb - Stack-based buffer overflow in command line interpreter


Multiple stack-based buffer overflows [CWE-121] in the command line interpreter of FortiWeb may allow an authenticated attacker to achieve arbitrary code execution via specially crafted commands.

Affected Products

FortiWeb 6.4.1 and earlier.
FortiWeb 6.3.15 and earlier.
FortiWeb 6.2.5 and earlier.
FortiWeb 6.1.2 and earlier.
FortiWeb 6.0.7 and earlier.

All FortiWeb versions 5.x are also affected.


Upgrade to FortiWeb 6.4.2 and later.
Upgrade to FortiWeb 6.3.16 and later.
Upgrade to FortiWeb 6.2.6 and later.

Fixes for older versions to be confirmed.


Internally discovered and reported by Giuseppe Cocomazzi of Fortinet Product Security team.