PSIRT Advisories

FortiWAN - Command injection vulnerability


An improper neutralization of special elements used in an OS command vulnerability [CWE-78] in the management interface of FortiWAN may allow an authenticated attacker to execute unauthorized commands via specifically crafted arguments to existing commands.

Affected Products

FortiWAN version 4.5.0 through 4.5.9
FortiWAN version 4.4.0 through 4.4.1
FortiWAN version 4.3.0 through 4.3.1
FortiWAN version 4.2.5 through 4.2.7
FortiWAN version 4.2.1 through 4.2.2
FortiWAN version 4.1.1 through 4.1.3
FortiWAN version 4.0.0 through 4.0.6


Please upgrade to FortiWAN version 4.5.10 or above


Fortinet is pleased to thank ZiTong Wang from DBappSecurity Co. Ltd. Hatlab for reporting this vulnerability under responsible disclosure.