PSIRTOS Command Injection
Summary
An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] in FortiManager may allow an authenticated remote attacker to execute unauthorized code via FGFM crafted requests.
| Version | Affected | Solution |
|---|---|---|
| FortiManager Cloud 7.6 | 7.6.0 through 7.6.1 | Upgrade to 7.6.2 or above |
| FortiManager Cloud 7.4 | 7.4.0 through 7.4.4 | Upgrade to 7.4.5 or above |
| FortiManager Cloud 7.2 | 7.2.2 through 7.2.7 | Upgrade to 7.2.8 or above |
| FortiManager 7.6 | 7.6.0 through 7.6.1 | Upgrade to 7.6.2 or above |
| FortiManager 7.4 | 7.4.0 through 7.4.5 | Upgrade to 7.4.6 or above |
| FortiManager 7.2 | 7.2.1 through 7.2.8 | Upgrade to 7.2.9 or above |
| FortiManager 7.0 | Not affected | Not Applicable |
This vulnerability was publiclly disclosed by Watchtowr, without following industry standard responsible disclosure process, and advertised via their X account.
Please Note: This vulnerability does not enable an attacker to use an unauthorized device to exploit FortiManager instances, and does not bypass or negate the patch deployed for FG-IR-24-423.
To exploit this vulnerability, an attacker needs to be in possession of the local certificate and private key of a FortiGate registered and authorised to the targeted FortiManager. In regular conditions, those cannot be extracted, even by a FortiGate's admin.
Note that to the best of our knowledge, this vulnerability has not been observed to be exploited in the wild.