CVE-2021-41016 — OS Command Injection in Fortinet Fortiextender Firmware

CWE-78 — OS Command Injection CWE-77 — Command Injection4 documents4 sources

Severity

8.8HIGHNVD

CNA7.8

EPSS

0.6%

top 30.65%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortiextender Firmware

Timeline

PublishedFeb 2

Latest updateFeb 8

Description

A improper neutralization of special elements used in a command ('command injection') in Fortinet FortiExtender version 7.0.1 and below, 4.2.3 and below, 4.1.7 and below allows an authenticated attacker to execute privileged shell commands via CLI commands including special characters

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages1 packages

▶NVDfortinet/fortiextender_firmware4.1.1 — 4.1.8+2

🔴Vulnerability Details

GHSA

GHSA-8h76-r3wq-wvqp: A improper neutralization of special elements used in a command ('command injection') in Fortinet FortiExtender version 7↗2022-02-08

▶

CVEList

CVE-2021-41016: A improper neutralization of special elements used in a command ('command injection') in Fortinet FortiExtender version 7↗2022-02-02

▶

📋Vendor Advisories

Fortinet

A improper neutralization of special elements used in a command ('command injection') in Fortinet FortiExtender version...↗2022-02-02

▶