CVE-2021-26106

CWE-78 — OS Command Injection4 documents4 sources

Severity

7.8HIGH

EPSS

0.1%

top 69.37%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortiap Fortinet Fortiap-s Fortinet Fortiap-w2

Timeline

PublishedJul 9

Latest updateMay 24

Description

An improper neutralization of special elements used in an OS Command vulnerability in FortiAP's console 6.4.1 through 6.4.5 and 6.2.4 through 6.2.5 may allow an authenticated attacker to execute unauthorized commands by running the kdbg CLI command with specifically crafted arguments.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

▶NVDfortinet/fortiap6.4.1 — 6.4.6

▶NVDfortinet/fortiap-s6.2.4 — 6.2.6

▶NVDfortinet/fortiap-w26.2.4 — 6.2.6

🔴Vulnerability Details

GHSA

GHSA-7wf6-r29p-wfx8: An improper neutralization of special elements used in an OS Command vulnerability in FortiAP's console 6↗2022-05-24

▶

CVEList

CVE-2021-26106: An improper neutralization of special elements used in an OS Command vulnerability in FortiAP's console 6↗2021-07-09

▶

📋Vendor Advisories

Fortinet

An improper neutralization of special elements used in an OS Command vulnerability in FortiAP's console 6.4.1 through 6...↗2021-07-09

▶