CVE-2021-22123
published 2021-06-01CVE-2021-22123: An OS command injection vulnerability in FortiWeb's management interface 6.3.7 and below, 6.2.3 and below, 6.1.x, 6.0.x, 5.9.x may allow a remote authenticated…
PriorityP272high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
77.27%
99.5th percentile
An OS command injection vulnerability in FortiWeb's management interface 6.3.7 and below, 6.2.3 and below, 6.1.x, 6.0.x, 5.9.x may allow a remote authenticated attacker to execute arbitrary commands on the system via the SAML server configuration page.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fortinet | fortinet_fortiweb | — | — |
| fortinet | fortiweb | — | — |
| fortinet | fortiweb | >= 5.9.0 < 6.2.4 | 6.2.4 |
| fortinet | fortiweb | >= 6.3.0 < 6.3.8 | 6.3.8 |
Detection & IOCsextracted from sources · hover to see the quote
url/remoteserver.saml
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Fortinet FortiWeb OS Command Injection Inbound M1 (CVE-2021-22123)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/remoteserver.saml"; fast_pattern; http.request_body; content:"form-data|3b 20|name=|22|name|22|"; nocase; content:"|60|"; distance:0; content:"--------"; distance:0; reference:cve,2021-22123; classtype:attempted-admin; sid:2033738; rev:1; metadata:attack_target Server, created_at 2021_08_18, cve CVE_2021_22123, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2021_08_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Fortinet FortiWeb OS Command Injection Inbound M2 (CVE-2021-22123)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/remoteserver.saml"; fast_pattern; http.request_body; content:"form-data|3b 20|name=|22|name|22|"; nocase; content:"|24|"; distance:0; content:"--------"; distance:0; reference:cve,2021-22123; classtype:bad-unknown; sid:2033742; rev:1; metadata:attack_target Server, created_at 2021_08_18, cve CVE_2021_22123, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2021_08_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
bytes
|60| (backtick) in multipart form-data name field
bytes
|24| (dollar sign) in multipart form-data name field
- →Exploit traffic targets the SAML server configuration endpoint via HTTP POST to /remoteserver.saml on the FortiWeb management interface.
- →M1 variant injects OS commands using backtick (0x60) shell metacharacter inside the multipart form-data 'name' field body.
- →M2 variant injects OS commands using dollar sign (0x24) shell metacharacter (e.g. $(...) subshell) inside the multipart form-data 'name' field body.
- →Exploitation requires an authenticated session; monitor for authenticated POST requests to the SAML configuration page containing shell metacharacters. ↗
- ·Affected versions span multiple branches; ensure detection coverage applies to all: FortiWeb 6.3.7 and below, 6.2.3 and below, 6.1.x, 6.0.x, and 5.9.x. ↗
- ·The Snort/ET rules are marked confidence Medium; tune or validate in your environment before relying on them as sole detection.
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Fortinet
An OS command injection vulnerability in FortiWeb's management interface 6.3.7 and below, 6.2.3 and below, 6.1.x, 6.0.x,...
vendor_fortinet·2021-06-01·CVSS 7.6
CVE-2021-22123 [HIGH] CWE-78 An OS command injection vulnerability in FortiWeb's management interface 6.3.7 and below, 6.2.3 and below, 6.1.x, 6.0.x,...
FG-IR-20-120: An OS command injection vulnerability in FortiWeb's management interface 6.3.7 and below, 6.2.3 and below, 6.1.x, 6.0.x,...
An OS command injection vulnerability in FortiWeb's management interface 6.3.7 and below, 6.2.3 and below, 6.1.x, 6.0.x, 5.9.x may allow a remote authenticated attacker to execute arbitrary commands on the system via the SAML server configuration page.
CVEs: CVE-2021-22123
CWEs: CWE-78
CVSS: 7.6 (high)
Affected products: FortiWeb
GHSA
GHSA-r6qx-2c6r-vjjf: An OS command injection vulnerability in FortiWeb's management interface 6
ghsa_unreviewed·2022-05-24
CVE-2021-22123 [HIGH] CWE-78 GHSA-r6qx-2c6r-vjjf: An OS command injection vulnerability in FortiWeb's management interface 6
An OS command injection vulnerability in FortiWeb's management interface 6.3.7 and below, 6.2.3 and below, 6.1.x, 6.0.x, 5.9.x may allow a remote authenticated attacker to execute arbitrary commands on the system via the SAML server configuration page.
Suricata
ET EXPLOIT Fortinet FortiWeb OS Command Injection Inbound M1 (CVE-2021-22123)
suricata·2021-08-18·CVSS 7.6
CVE-2021-22123 [HIGH] ET EXPLOIT Fortinet FortiWeb OS Command Injection Inbound M1 (CVE-2021-22123)
ET EXPLOIT Fortinet FortiWeb OS Command Injection Inbound M1 (CVE-2021-22123)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Fortinet FortiWeb OS Command Injection Inbound M1 (CVE-2021-22123)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/remoteserver.saml"; fast_pattern; http.request_body; content:"form-data|3b 20|name=|22|name|22|"; nocase; content:"|60|"; distance:0; content:"--------"; distance:0; reference:cve,2021-22123; classtype:attempted-admin; sid:2033738; rev:1; metadata:attack_target Server, created_at 2021_08_18, cve CVE_2021_22123, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2021_08_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre
Suricata
ET EXPLOIT Fortinet FortiWeb OS Command Injection Inbound M2 (CVE-2021-22123)
suricata·2021-08-18·CVSS 7.6
CVE-2021-22123 [HIGH] ET EXPLOIT Fortinet FortiWeb OS Command Injection Inbound M2 (CVE-2021-22123)
ET EXPLOIT Fortinet FortiWeb OS Command Injection Inbound M2 (CVE-2021-22123)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Fortinet FortiWeb OS Command Injection Inbound M2 (CVE-2021-22123)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/remoteserver.saml"; fast_pattern; http.request_body; content:"form-data|3b 20|name=|22|name|22|"; nocase; content:"|24|"; distance:0; content:"--------"; distance:0; reference:cve,2021-22123; classtype:bad-unknown; sid:2033742; rev:1; metadata:attack_target Server, created_at 2021_08_18, cve CVE_2021_22123, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2021_08_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_tec
No public exploits indexed.
No writeups or analysis indexed.
2021-06-01
Published