Security Experts:

Connect with us

Hi, what are you looking for?



High-Severity Command Injection Vulnerability Found in Fortinet Firewall

Researchers have discovered a vulnerability in Fortinet’s FortiWeb web application firewall (WAF), and while it has been classified as high severity, the actual risk of exploitation in the wild seems low.

Researchers have discovered a vulnerability in Fortinet’s FortiWeb web application firewall (WAF), and while it has been classified as high severity, the actual risk of exploitation in the wild seems low.

The flaw was discovered by William Vu, researcher at cybersecurity firm Rapid7, and it’s unclear if it has been patched by the vendor. Nevertheless, Rapid7 disclosed its details on Tuesday.

SecurityWeek reached out to Fortinet for comment before the publication of this article, but the company has yet to respond.

Tod Beardsley, director of research at Rapid7, told SecurityWeek that they have not seen any information from Fortinet regarding a patch, but they do expect the vulnerability to be fixed soon.

The issue identified by Vu is a variation of CVE-2021-22123, a FortiWeb OS command injection vulnerability patched by Fortinet a few months ago.

The flaw impacts the management interface of the FortiWeb WAF, specifically the “Name” field of a SAML Server configuration page, which can be abused to execute arbitrary commands with root privileges. This can ultimately allow the attacker to take complete control of the device.

“[The attacker] might install a persistent shell, crypto mining software, or other malicious software. In the unlikely event the management interface is exposed to the internet, they could use the compromised platform to reach into the affected network beyond the DMZ,” Rapid7 said in a blog post.

However, it’s worth noting that exploitation of the vulnerability requires the attacker to be authenticated on the targeted system.

“[The vulnerability] can only be exploited by either a malicious insider or on a device that mistakenly exposes its management interface to the internet,” Beardsley said via email. “Further, the attacker needs to be already authenticated, so the attacker would need to either first have a username and password, guess the same, or use another vulnerability to bypass authentication (like CVE-2020-29015).”

“So, given all these constraints, I’d say the risk is ‘pretty low.’ A lot has to go right for the attacker — namely, a network misconfiguration and an authentication bypass or guess,” he added.

Rapid7 pointed out that while its recent scans showed roughly one million internet-exposed Fortinet devices, only some of those are FortiWeb systems, and only a small fraction of those expose their management interface to the web. Rapid7 has only seen a couple hundred FortiWeb management interfaces exposed to the internet.

Given the widespread use of Fortinet products, it’s not surprising that many state-sponsored and profit-driven threat actors have been exploiting vulnerabilities in these products. The U.S. government has issued several warnings and advisories related to the exploitation of Fortinet vulnerabilities.

UPDATE: Fortinet has provided SecurityWeek the following statement:

“The security of our customers is always our first priority. Fortinet recognizes the important role of independent security researchers who work closely with vendors to protect the cybersecurity ecosystem in alignment with their responsible disclosure policies. In addition to directly communicating with researchers, our disclosure policy is clearly outlined on the Fortinet PSIRT Policy page, which includes asking incident submitters to maintain strict confidentiality until complete resolutions are available for customers. As such, we had expected that Rapid7 hold any findings prior to the end of the our 90-day Responsible disclosure window. We regret that in this instance, individual research was fully disclosed without adequate notification prior to the 90-day window. We are working to deliver immediate notification of a workaround to customers and a patch released by the end of the week.”

Related: Fortinet Patches Remote Code Execution Vulnerability in FortiManager, FortiAnalyzer

Related: Vulnerabilities Expose Fortinet Firewalls to Remote Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet