Quote:An unpatched OS command-injection security vulnerability has been disclosed in Fortinet’s web application firewall (WAF) platform, known as FortiWeb. It could allow privilege escalation and full device takeover, researchers said.
FortiWeb is a cybersecurity defense platform, aimed at protecting business-critical web applications from attacks that target known and unknown vulnerabilities. The firewall has been to keep up with the deployment of new or updated features, or the addition of new web APIs, according to Fortinet.
The bug (CVE pending) exists in FortiWeb’s management interface (version 6.3.11 and prior), and carries a CVSSv3 base score of 8.7 out of 10, making it high-severity. It can allow a remote, authenticated attacker to execute arbitrary commands on the system, via the SAML server configuration page, according to Rapid7 researcher William Vu who discovered the bug.
“Note that while authentication is a prerequisite for this exploit, this vulnerability could be combined with another authentication-bypass issue, such as CVE-2020-29015,” according to a Tuesday writeup on the issue.
Once attackers are authenticated to the management interface of the FortiWeb device, they can smuggle commands using backticks in the “Name” field of the SAML Server configuration page. These commands are then executed as the root user of the underlying operating system.
“An attacker can leverage this vulnerability to take complete control of the affected device, with the highest possible privileges,” according to the writeup. “They might install a persistent shell, crypto mining software, or other malicious software.”
Read more: Unpatched Fortinet Bug Allows Firewall Takeovers | Threatpost
![[-]](https://www.geeks.fyi/images/collapse.png)
