Unpatched Remote Hacking Flaw Disclosed in Fortinet’s FortiWeb WAF

T-Mobile is Warning that a data breach has exposed the names, date of birth, Social Security number and driver’s license/ID information of more than 40 million current, former or prospective customers who applied for credit with the company. Get Secured Now with Norton 360

Fortinet FortiWeb WAF

Details have emerged about a new unpatched security vulnerability in Fortinet’s web application firewall (WAF) appliances that could be abused by a remote, authenticated attacker to execute malicious commands on the system.

“An OS command injection vulnerability in FortiWeb’s management interface (version 6.3.11 and prior) can allow a remote, authenticated attacker to execute arbitrary commands on the system, via the SAML server configuration page,” cybersecurity firm Rapid7 said in an advisory published Tuesday. “This vulnerability appears to be related to CVE-2021-22123, which was addressed in FG-IR-20-120.”

Stack Overflow Teams

Rapid7 said it discovered and reported the issue in June 2021. Fortinet is expected to release a patch at the end of August with version Fortiweb 6.4.1.

The command injection flaw is yet to be assigned a CVE identifier, but it has a severity rating of 8.7 on the CVSS scoring system. Successful exploitation of the vulnerability can allow authenticated attackers to execute arbitrary commands as the root user on the underlying system via the SAML server configuration page.

“An attacker can leverage this vulnerability to take complete control of the affected device, with the highest possible privileges,” Rapid7’s Tod Beardsley said. “They might install a persistent shell, crypto mining software, or other malicious software. In the unlikely event the management interface is exposed to the internet, they could use the compromised platform to reach into the affected network beyond the DMZ.”

Rapid7 also warns that while authentication is a prerequisite for achieving arbitrary command execution, the exploit could be chained with an authentication bypass flaw, such as CVE-2020-29015. In the interim, users are advised to block access to the FortiWeb device’s management interface from untrusted networks, including taking steps to prevent direct exposure to the internet.

Prevent Ransomware Attacks

Although there is no evidence that the new security issue has been exploited in the wild, it’s worth noting that unpatched Fortinet servers have been a lucrative target for financially motivated and state-sponsored threat actors alike.

Earlier this April, the Federal Bureau of Investigation (FBI) and the…