Fortinet has fixed a vulnerability in its FortiWeb firewall, designed to protect web applications from web attacks, and thanked Positive Technologies expert Andrey Medov for identifying the problem.

The bug received the identifier CVE-2021-22123 and a score of 7.4 on the CVSSv3 scale, which corresponds to the high severity level.

«A command injection vulnerability in the FortiWeb management interface may allow authenticated remote attacker to execute arbitrary commands on the system via the SAML server configuration page», - explains Andrey Medov. - Executing commands with maximum privileges will result in attackers gaining full control over the server. And if the firewall administration interface would be available on the Internet as a result of incorrect configuration, and the product would not be updated to the latest versions, then the combination of CVE-2021-22123 with CVE-2020-29015 bug discovered earlier could allow an attacker to penetrate the internal network».

To fix the vulnerability, you need to update FortiWeb 6.3.7 (and below), 6.2.3 (and below), 6.1.x, 6.0.x, 5.9.x to versions 6.3.8 or 6.2.4 (depending on the version of the product used).

Source: anti-malware.ru