PSIRT Advisories

FortiMail - OS Command injection


An improper neutralization of special elementsused in an OS Command vulnerability (CWE-78) in FortiMail's administrative interface may allow an authenticated attacker to execute unauthorized commands via specifically crafted HTTP requests.

Affected Products

FortiMail 6.4.3
FortiMail 6.2.6
FortiMail 6.0.10
FortiMail 5.4.12


Upgrade to FortiMail 7.0.0.

Upgrade to FortiMail 6.4.4.

Upgrade to FortiMail 6.2.7.

Upgrade to FortiMail 6.0.11.

5.4 Fix to be confirmed.


Internally discovered and reported by Giuseppe Cocomazzi of Fortinet PSIRT.