Unpatched Fortinet Bug Would Allow Remote Attackers To Execute Arbitrary Commands

A 0-day command injection vulnerability was found in Fortinet FortiWeb (WAF), and the security report claimed that Fortinet will soon release a fix for this vulnerability.

This vulnerability was initially detected by the cybersecurity researchers of Rapid7 it enables an authenticated attacker to administer arbitrary commands as root by the SAML server configuration page.

Not only this but they also reported that the threat actor could use it to obtain full control of the vulnerable device with the most formidable possible opportunities. 

However, this vulnerability has been detected on Fortinet’s web application firewall (WAF) platform, acknowledged as FortiWeb. 

FortiWeb is a cybersecurity protection platform, its main motive is to protect business-critical web applications from attacks that generally target associated and undiscovered vulnerabilities.

Flaw profile

  • CVE ID: CVE-2020-29015
  • Summary: It is a blind SQL injection flaw in the UI of FortiWeb 6.3.0 through 6.3.7 and version before 6.2.4. By exploiting this security flaw an unauthenticated threat actor can execute arbitrary SQL queries or commands remotely.
  • IR Number: FG-IR-20-124
  • Date: Jan 04, 2021
  • Risk: 3 out of 5
  • CVSSv3 Score: 6.4
  • Impact: Execute unauthorized code or commands

Fortinet is popular for exploit

Fortinet’s cybersecurity commodities are quite famous as exploitation streets along with cyber attackers. Even it also includes nation-state actors, therefore the experts suggested that every user must plan to patch it as soon as possible.

After detecting this vulnerability, the FBI along with the Cybersecurity and Infrastructure Security Agency (CISA) informed several advanced determined threats (APTs) were currently exploiting three security vulnerabilities in the Fortinet SSL VPN for espionage.

Moreover, the experts pronounced that the exploits for CVE-2018-13379, CVE-2019-5591, and CVE-2020-12812 were being used to obtain space within networks before implementing their planned operation.

Disclosure Timeline

After a proper investigation, the security analysts have mentioned a full list of disclosure timelines that they have made, and here we have mentioned below:-

  • June, 2021: Issue identified and confirmed by William Vu of Rapid7
  • Thu, Jun 10, 2021: Initial exposure to the vendor through their PSIRT Contact Form
  • Fri, Jun 11, 2021: Recognized by the vendor (ticket 132097)
  • Wed, Aug 11, 2021: Follow up with the vendor
  • Tue, Aug 17, 2021: Public exposure through this post
  • Tue, Aug 17, 2021: The vendor meant that Fortiweb 6.4.1 is expected to add a fix, and will be published at the end of August

Remediation

Apart from this, the cybersecurity researchers have suggested some remediation, until Fortinet is not releasing the patch for the vulnerability. Initially, users must disable the FortiWeb device’s management interface from suspicious networks, which also include the internet.

Not only this but FortiWeb should not get reveal directly to the internet, as it should be reachable only through trusted internal networks, or it can be reached over a secure VPN connection.

While the security authorities of Rapid7 requested every user to follow the recommendation, until and unless a security patch is not being disclosed by Fortinet.

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Chinese Hackers Breach Belgium State Security Service as Investigation Continues

Belgium’s State Security Service (VSSE) has suffered what is being described as its most severe…

11 hours ago

Hacktivist Groups Emerge With Powerful Tools for Large-Scale Cyber Operations

Hacktivism, once synonymous with symbolic website defacements and distributed denial-of-service (DDoS) attacks, has evolved into…

11 hours ago

New Pass-the-Cookie Attacks Bypass MFA, Giving Hackers Full Account Access

Multi-factor authentication (MFA), long considered a cornerstone of cybersecurity defense, is facing a formidable new…

16 hours ago

Chinese Hackers Exploit Check Point VPN Zero-Day to Target Organizations Globally

A sophisticated cyberespionage campaign linked to Chinese state-sponsored actors has exploited a previously patched Check…

18 hours ago

PingAM Java Agent Vulnerability Allows Attackers to Bypass Security

A critical security flaw (CVE-2025-20059) has been identified in supported versions of Ping Identity’s PingAM…

18 hours ago

New GitHub Scam Uses Fake “Mods” and “Cracks” to Steal User Data

A sophisticated malware campaign leveraging GitHub repositories disguised as game modifications and cracked software has…

19 hours ago