FortiADC - Command injection in diagnose system df CLI command

Summary

An improper neutralization of special elements used in an OS command vulnerability [CWE-78] in FortiADC CLI may allow a local and authenticated attacker to execute unauthorized commands via specifically crafted arguments in diagnose system df CLI command.

Version Affected Solution
FortiADC 7.1 7.1.0 Upgrade to 7.1.1 or above
FortiADC 7.0 7.0.0 through 7.0.3 Upgrade to 7.0.4 or above
FortiADC 6.2 6.2.0 through 6.2.4 Upgrade to 6.2.5 or above
FortiADC 6.1 6.1 all versions Migrate to a fixed release
FortiADC 6.0 6.0 all versions Migrate to a fixed release

Timeline

2023-06-05: Initial publication