PSIRT Advisories

FortiWeb - OS command injection


Multiple improper neutralization of special elements used in a command vulnerabilities [CWE-77] in FortiWeb management interface may allow an authenticated attacker to execute unauthorized code or commands via crafted parameters of HTTP requests.

Affected Products

FortiWeb version 6.4.1.
FortiWeb version 6.3.15 and below.
FortiWeb version 6.2.5 and below.
FortiWeb version 6.1.x.
FortiWeb version 6.0.x.
FortiWeb version 5.9.x.
FortiWeb version 5.8.x.


Please upgrade to FortiWeb 6.4.2 or above.
Please upgrade to FortiWeb 6.3.16 or above.
Please upgrade to FortiWeb 6.2.6 or above.


Internally discovered and reported by Wilfried Djettchou of Fortinet Product Security team.