CVE-2021-36182
published 2021-09-08CVE-2021-36182: A Improper neutralization of special elements used in a command ('Command Injection') in Fortinet FortiWeb version 6.3.13 and below allows attacker to execute…
PriorityP263high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.92%
77.3th percentile
A Improper neutralization of special elements used in a command ('Command Injection') in Fortinet FortiWeb version 6.3.13 and below allows attacker to execute unauthorized code or commands via crafted HTTP requests
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fortinet | fortinet | — | — |
| fortinet | fortinet_fortiweb | — | — |
| fortinet | fortiweb | <= 6.2.4 | — |
| fortinet | fortiweb | — | — |
| fortinet | fortiweb | >= 6.3.0 < 6.3.14 | 6.3.14 |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability class is OS Command Injection (CWE-78) triggered via crafted HTTP requests to Fortinet FortiWeb; monitor for anomalous or unexpected OS-level command execution spawned from the FortiWeb process ↗
- →Scope detection to FortiWeb versions 6.3.13 and below; any FortiWeb instance running these versions should be treated as potentially exploitable ↗
- ·The advisory covers FortiWeb 6.3.13 and all versions below it; ensure patching scope includes all sub-versions in the 6.3.x branch ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-jcp2-cx35-47gg: A Improper neutralization of special elements used in a command ('Command Injection') in Fortinet FortiWeb version 6
ghsa_unreviewed·2022-05-24
CVE-2021-36182 [HIGH] CWE-78 GHSA-jcp2-cx35-47gg: A Improper neutralization of special elements used in a command ('Command Injection') in Fortinet FortiWeb version 6
A Improper neutralization of special elements used in a command ('Command Injection') in Fortinet FortiWeb version 6.3.13 and below allows attacker to execute unauthorized code or commands via crafted HTTP requests
Fortinet
A Improper neutralization of special elements used in a command ('Command Injection') in Fortinet FortiWeb version 6.3.1...
vendor_fortinet·2021-09-08·CVSS 8.8
CVE-2021-36182 [HIGH] CWE-78 A Improper neutralization of special elements used in a command ('Command Injection') in Fortinet FortiWeb version 6.3.1...
FG-IR-21-047: A Improper neutralization of special elements used in a command ('Command Injection') in Fortinet FortiWeb version 6.3.1...
A Improper neutralization of special elements used in a command ('Command Injection') in Fortinet FortiWeb version 6.3.13 and below allows attacker to execute unauthorized code or commands via crafted HTTP requests
CVEs: CVE-2021-36182
CWEs: CWE-78
CVSS: 8.8 (high)
Affected products: FortiWeb, Fortinet
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-09-08
Published