PSIRTRemote unauthenticated command injection
Summary
An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in FortiSIEM may allow an unauthenticated attacker to execute unauthorized code or commands via crafted CLI requests.
Practical exploit code for this vulnerability was found in the wild.
| Version | Affected | Solution |
|---|---|---|
| FortiSIEM 7.5 | 7.5 all versions | Migrate to a fixed release |
| FortiSIEM 7.4 | 7.4 all versions | Migrate to a fixed release |
| FortiSIEM 7.3 | 7.3 all versions | Migrate to a fixed release |
| FortiSIEM 7.2 | 7.2 all versions | Migrate to a fixed release |
| FortiSIEM 7.1 | 7.1 all versions | Migrate to a fixed release |
| FortiSIEM 7.0 | 7.0 all versions | Migrate to a fixed release |
| FortiSIEM 6.7 | 6.7 all versions | Migrate to a fixed release |
| FortiSIEM 6.6 | 6.6 all versions | Migrate to a fixed release |
| FortiSIEM 6.5 | 6.5 all versions | Migrate to a fixed release |
| FortiSIEM 6.4 | 6.4 all versions | Migrate to a fixed release |
| FortiSIEM 6.3 | 6.3 all versions | Migrate to a fixed release |
| FortiSIEM 6.2 | 6.2 all versions | Migrate to a fixed release |
| FortiSIEM 6.1 | 6.1 all versions | Migrate to a fixed release |
| FortiSIEM 5.4 | 5.4 all versions | Migrate to a fixed release |
| FortiSIEM 5.3 | 5.3 all versions | Migrate to a fixed release |
| FortiSIEM 5.2 | 5.2 all versions | Migrate to a fixed release |
| FortiSIEM 5.1 | 5.1 all versions | Migrate to a fixed release |
| FortiSIEM 5.0 | 5.0 all versions | Migrate to a fixed release |
| FortiSIEM 4.10 | 4.10 all versions | Migrate to a fixed release |
| FortiSIEM 4.9 | 4.9 all versions | Migrate to a fixed release |
| FortiSIEM 4.7 | 4.7 all versions | Migrate to a fixed release |
IoCs
The exploitation code does not appear to produce distinctive IoCs.
Workaround
- Limit access to the phMonitor port (7900)