FortiExtender - Arbitrary command execution because of missing CLI input sanitization


An improper neutralization of special elements used in a command vulnerability ('Command Injection') [CWE-77] in FortiExtender may allow an authenticated user to raise its privileges to admin user via crafted arguments of the `execute` CLI command.

Affected Products

FortiExtender version 7.0.1 and below.
FortiExtender version 4.2.3 and below.
FortiExtender version 4.1.7 and below.


Upgrade to FortiExtender version 7.0.2 or above.

Upgrade to FortiExtender version 4.2.4 or above.

Upgrade to FortiExtender version 4.1.8 or above.


Internally discovered and reported by Mattia Fecit of Fortinet PSIRT team.