BURSTFortinet, a leading provider of cybersecurity solutions, has recently addressed a significant security vulnerability, CVE-2023-42788, classified as an OS command injection issue under CWE-78.
This vulnerability affects multiple products earlier including FortiManager, FortiAnalyzer, and today Fortinet confirmed that the vulnerability affects FortiAnalyzer-Cloud product, and poses a risk of unauthorized code execution by local attackers with low privileges.
Vulnerability Details
The vulnerability, tracked as CVE-2023-42788, is an improper neutralization of special elements used in an OS command, allowing attackers to execute unauthorized code via specifically crafted arguments to a CLI command.
It was discovered by security researchers Loïc Restoux at Orange Innovation and Orange CERT-CC, who reported it under responsible disclosure.
This issue is a follow-up to a previously identified vulnerability, CVE-2021-26104, where the initial fix was incomplete, highlighting the ongoing challenge of securing CLI interfaces.
The technical details reveal that the vulnerability affects specific CLI commands, notably diagnose system export umlog ftp and fmwslog, where parameters are not properly sanitized.
Attackers can exploit this by using tar command options such as –checkpoint and –checkpoint-action to spawn an interactive root shell, significantly escalating their privileges.
A proof of concept demonstrates this exploitation via an FTP transfer with crafted parameters, underscoring the severity of the issue.
“An improper neutralization of special elements used in an os command (‘OS Command Injection’) vulnerability [CWE-78] in FortiManager, FortiAnalyzer & FortiAnalyzer-BigData may allow a local attacker with low privileges to execute unauthorized code via specifically crafted arguments to a CLI command” Fortinet alerted.
Affected Products and Versions
The vulnerability impacts a wide range of FortiManager Cloud products and versions, as detailed in the following table:
| Version | Affected | Solution |
|---|---|---|
| FortiManager Cloud 7.4 | Not affected | Not Applicable |
| FortiManager Cloud 7.2 | 7.2.1 through 7.2.3 | Upgrade to 7.2.4 or above |
| FortiManager Cloud 7.0 | 7.0.1 through 7.0.8 | Upgrade to 7.0.9 or above |
| FortiManager Cloud 6.4 | 6.4 all versions | Migrate to a fixed release |
This table, derived from Fortinet’s official advisories, ensures users can identify if their systems are at risk and take appropriate action.
The severity of CVE-2023-42788 is underscored by its CVSSv3 score of 7.6, indicating a high risk. The vulnerability’s potential impact includes the execution of arbitrary commands with root privileges, which could lead to complete system compromise.
The CVSS v3 metrics further detail the attack vector as local, with low attack complexity, requiring high privileges, no user interaction, and unchanged scope, with high confidentiality, integrity, and availability impacts.
Recommended Actions and Mitigation
To mitigate the risk, Fortinet recommends upgrading to the specified fixed versions for each affected product, as outlined in the table above.
These updates are crucial to prevent exploitation, especially given the proof of concept demonstrating root shell access.
Beyond patching, organizations should implement strict access controls to limit local access, monitor system logs for suspicious activities, and consider conducting security audits.
These measures can help detect and respond to potential exploitation attempts, enhancing overall security posture.
Fortinet acknowledges the contributions of Loïc Restoux and Orange CERT-CC for discovering and responsibly reporting this vulnerability, fostering a collaborative approach to cybersecurity.
The timeline of events includes the initial report on May 31, 2023, with the fix published on October 10, 2023.
Subsequent updates were made on January 27, 2025, adding FortiAnalyzer and FortiAnalyzer-BigData, May 13, 2025, for FortiManager Cloud, and June 10, 2025, for FortiAnalyzer-Cloud, reflecting ongoing efforts to address the issue comprehensively.
Automate threat response with ANY.RUN’s TI Feeds—Enrich alerts and block malicious IPs across all endpoints -> Request full access
The post Fortinet OS Command Injection Vulnerability Lets Attackers Execute Unauthorised Code on FortiAnalyzer-Cloud appeared first on Cyber Security News.