FortiSOAR - OS Command Injection in Agent Password Field


An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in FortiSOAR may allow an authenticated attacker to execute unauthorized code or commands via crafted HTTP GET requests.

Version Affected Solution
FortiSOAR 7.2 7.2.0 Upgrade to 7.2.1 or above
FortiSOAR 7.0 7.0.0 through 7.0.2 Upgrade to 7.0.3 or above
FortiSOAR 6.4 6.4.3 through 6.4.4 Migrate to a fixed release
FortiSOAR 6.4 6.4.1 Migrate to a fixed release


Fortinet is pleased to thank security researchers Ryan Catterall and OJ Reeves of Beyond Binary for discovering and reporting this vulnerability under responsible disclosure.