PSIRT Advisories

FortiSOAR - OS Command Injection in Agent Password Field


An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in FortiSOAR may allow an authenticated attacker to execute unauthorized code or commands via crafted HTTP GET requests.

Affected Products

FortiSOAR version 7.2.0
FortiSOAR version 7.0.0 through 7.0.2
FortiSOAR version 6.4.1 through 6.4.4


Please upgrade to FortiSOAR version 7.2.1 or above
Please upgrade to FortiSOAR version 7.0.3 or above


Fortinet is pleased to thank security researchers Ryan Catterall and OJ Reeves of Beyond Binary for discovering and reporting this vulnerability under responsible disclosure.