cbcvebase.
CVE-2021-22123
published 2021-06-01

CVE-2021-22123: An OS command injection vulnerability in FortiWeb's management interface 6.3.7 and below, 6.2.3 and below, 6.1.x, 6.0.x, 5.9.x may allow a remote authenticated…

PriorityP272high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
77.27%
99.5th percentile
An OS command injection vulnerability in FortiWeb's management interface 6.3.7 and below, 6.2.3 and below, 6.1.x, 6.0.x, 5.9.x may allow a remote authenticated attacker to execute arbitrary commands on the system via the SAML server configuration page.

Affected

4 ranges
VendorProductVersion rangeFixed in
fortinetfortinet_fortiweb
fortinetfortiweb
fortinetfortiweb>= 5.9.0 < 6.2.46.2.4
fortinetfortiweb>= 6.3.0 < 6.3.86.3.8

Detection & IOCsextracted from sources · hover to see the quote

url/remoteserver.saml
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Fortinet FortiWeb OS Command Injection Inbound M1 (CVE-2021-22123)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/remoteserver.saml"; fast_pattern; http.request_body; content:"form-data|3b 20|name=|22|name|22|"; nocase; content:"|60|"; distance:0; content:"--------"; distance:0; reference:cve,2021-22123; classtype:attempted-admin; sid:2033738; rev:1; metadata:attack_target Server, created_at 2021_08_18, cve CVE_2021_22123, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2021_08_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Fortinet FortiWeb OS Command Injection Inbound M2 (CVE-2021-22123)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/remoteserver.saml"; fast_pattern; http.request_body; content:"form-data|3b 20|name=|22|name|22|"; nocase; content:"|24|"; distance:0; content:"--------"; distance:0; reference:cve,2021-22123; classtype:bad-unknown; sid:2033742; rev:1; metadata:attack_target Server, created_at 2021_08_18, cve CVE_2021_22123, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2021_08_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
bytes
|60| (backtick) in multipart form-data name field
bytes
|24| (dollar sign) in multipart form-data name field
  • Exploit traffic targets the SAML server configuration endpoint via HTTP POST to /remoteserver.saml on the FortiWeb management interface.
  • M1 variant injects OS commands using backtick (0x60) shell metacharacter inside the multipart form-data 'name' field body.
  • M2 variant injects OS commands using dollar sign (0x24) shell metacharacter (e.g. $(...) subshell) inside the multipart form-data 'name' field body.
  • Exploitation requires an authenticated session; monitor for authenticated POST requests to the SAML configuration page containing shell metacharacters.
  • ·Affected versions span multiple branches; ensure detection coverage applies to all: FortiWeb 6.3.7 and below, 6.2.3 and below, 6.1.x, 6.0.x, and 5.9.x.
  • ·The Snort/ET rules are marked confidence Medium; tune or validate in your environment before relying on them as sole detection.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.