CVE-2021-41025
published 2021-12-08CVE-2021-41025: Multiple vulnerabilities in the authentication mechanism of confd in FortiWeb versions 6.4.1, 6.4.0, 6.3.0 through 6.3.15, 6.2.0 through 6.2.6, 6.1.0 through…
PriorityP271critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.44%
70.0th percentile
Multiple vulnerabilities in the authentication mechanism of confd in FortiWeb versions 6.4.1, 6.4.0, 6.3.0 through 6.3.15, 6.2.0 through 6.2.6, 6.1.0 through 6.1.2, 6.0.0 thorugh 6.0.7, including an instance of concurrent execution using shared resource with improper synchronization and one of authentication bypass by capture-replay, may allow a remote unauthenticated attacker to circumvent the authentication process and authenticate as a legitimate cluster peer.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fortinet | fortinet_fortiweb | — | — |
| fortinet | fortiweb | — | — |
| fortinet | fortiweb | — | — |
| fortinet | fortiweb | — | — |
| fortinet | fortiweb | — | — |
| fortinet | fortiweb | — | — |
| fortinet | fortiweb | — | — |
| fortinet | fortiweb | — | — |
| fortinet | fortiweb | 6.0.0 – 6.0.7 | — |
| fortinet | fortiweb | 6.2.0 – 6.2.6 | — |
| fortinet | fortiweb | 6.3.0 – 6.3.15 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Target service is 'confd' (FortiWeb cluster configuration daemon); monitor for unauthenticated remote connections to the confd service, particularly from non-cluster peer IPs ↗
- →Look for authentication bypass via capture-replay attack pattern against the confd service — monitor for replayed authentication tokens/sessions from unexpected sources ↗
- →Monitor for race condition exploitation (concurrent execution using shared resource with improper synchronization) against the confd authentication mechanism on FortiWeb appliances ↗
- ·Vulnerability affects a wide range of FortiWeb versions; ensure version scope is confirmed before scoping detection — affected versions are 6.4.1, 6.4.0, 6.3.0–6.3.15, 6.2.0–6.2.6, 6.1.0–6.1.2, and 6.0.0–6.0.7 ↗
- ·The vulnerable component is specifically 'confd', the cluster configuration daemon in FortiWeb; detection should be scoped to this service rather than the general web management interface ↗
- ·Two distinct vulnerability classes are present (CWE-362 race condition and capture-replay); detection and patching strategies should account for both attack vectors independently ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rvmf-qfpg-9qgj: Multiple vulnerabilities in the authentication mechanism of confd in FortiWeb versions 6
ghsa_unreviewed·2021-12-09
CVE-2021-41025 [CRITICAL] CWE-362 GHSA-rvmf-qfpg-9qgj: Multiple vulnerabilities in the authentication mechanism of confd in FortiWeb versions 6
Multiple vulnerabilities in the authentication mechanism of confd in FortiWeb versions 6.4.1, 6.4.0, 6.3.0 through 6.3.15, 6.2.0 through 6.2.6, 6.1.0 through 6.1.2, 6.0.0 thorugh 6.0.7, including an instance of concurrent execution using shared resource with improper synchronization and one of authentication bypass by capture-replay, may allow a remote unauthenticated attacker to circumvent the authentication process and authenticate as a legitimate cluster peer.
Fortinet
Multiple vulnerabilities in the authentication mechanism of confd in FortiWeb versions 6.4.1, 6.4.0, 6.3.0 through 6.3.1...
vendor_fortinet·2021-12-08·CVSS 7.3
CVE-2021-41025 [HIGH] CWE-362 Multiple vulnerabilities in the authentication mechanism of confd in FortiWeb versions 6.4.1, 6.4.0, 6.3.0 through 6.3.1...
FG-IR-21-130: Multiple vulnerabilities in the authentication mechanism of confd in FortiWeb versions 6.4.1, 6.4.0, 6.3.0 through 6.3.1...
Multiple vulnerabilities in the authentication mechanism of confd in FortiWeb versions 6.4.1, 6.4.0, 6.3.0 through 6.3.15, 6.2.0 through 6.2.6, 6.1.0 through 6.1.2, 6.0.0 thorugh 6.0.7, including an instance of concurrent execution using shared resource with improper synchronization and one of authentication bypass by capture-replay, may allow a remote unauthenticated attacker to circumvent the authentication process and authenticate as a legitimate cluster peer.
CVEs: CVE-2021-41025
CWEs: CWE-362
CVSS: 7.3 (high)
Affected products: FortiWeb
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-12-08
Published