OS command injections via GET request parameter
Fortinet PSIRT Advisories
Fortinet PSIRT Contact:
Website: https://fortiguard.fortinet.com/faq/psirt-contact
FG-IR-25-501
Final
1
1
2025-08-12T00:00:00
Current version
2025-08-12T00:00:00
2025-08-12T00:00:00
An improper neutralization of special elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] in FortiADC may allow a remote and authenticated attacker with low privilege to execute unauthorized code via specifically crafted HTTP parameters.
None
Execute unauthorized code or commands
FortiADC 8.0 all versions are not affectedFortiADC 7.6 all versions are not affectedFortiADC 7.4 all versions are not affectedFortiADC version 7.2.0FortiADC version 7.1.0 through 7.1.1FortiADC 7.0 all versions are not affectedFortiADC 6.2 all versions
Please upgrade to FortiADC version 7.2.1 or abovePlease upgrade to FortiADC version 7.1.2 or above
Fortinet is pleased to thank security researcher CataLpa from Dbappsecurity Co. Ltd for discovering and reporting this vulnerability under responsible disclosure.
FortiADC 7.2.0
FortiADC 7.1.1
FortiADC 7.1.0
FortiADC 6.2.6
FortiADC 6.2.5
FortiADC 6.2.4
FortiADC 6.2.3
FortiADC 6.2.2
FortiADC 6.2.1
FortiADC 6.2.0
OS command injections via GET request parameter
CVE-2025-49813
FortiADC-7.2.0
FortiADC-7.1.1
FortiADC-7.1.0
FortiADC-6.2.6
FortiADC-6.2.5
FortiADC-6.2.4
FortiADC-6.2.3
FortiADC-6.2.2
FortiADC-6.2.1
FortiADC-6.2.0
6.6
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C
https://fortiguard.fortinet.com/psirt/FG-IR-25-501
OS command injections via GET request parameter
Reference>