cbcvebase.
CVE-2021-41025
published 2021-12-08

CVE-2021-41025: Multiple vulnerabilities in the authentication mechanism of confd in FortiWeb versions 6.4.1, 6.4.0, 6.3.0 through 6.3.15, 6.2.0 through 6.2.6, 6.1.0 through…

PriorityP271critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.44%
70.0th percentile
Multiple vulnerabilities in the authentication mechanism of confd in FortiWeb versions 6.4.1, 6.4.0, 6.3.0 through 6.3.15, 6.2.0 through 6.2.6, 6.1.0 through 6.1.2, 6.0.0 thorugh 6.0.7, including an instance of concurrent execution using shared resource with improper synchronization and one of authentication bypass by capture-replay, may allow a remote unauthenticated attacker to circumvent the authentication process and authenticate as a legitimate cluster peer.

Affected

11 ranges
VendorProductVersion rangeFixed in
fortinetfortinet_fortiweb
fortinetfortiweb
fortinetfortiweb
fortinetfortiweb
fortinetfortiweb
fortinetfortiweb
fortinetfortiweb
fortinetfortiweb
fortinetfortiweb6.0.0 – 6.0.7
fortinetfortiweb6.2.0 – 6.2.6
fortinetfortiweb6.3.0 – 6.3.15

Detection & IOCsextracted from sources · hover to see the quote

  • Target service is 'confd' (FortiWeb cluster configuration daemon); monitor for unauthenticated remote connections to the confd service, particularly from non-cluster peer IPs
  • Look for authentication bypass via capture-replay attack pattern against the confd service — monitor for replayed authentication tokens/sessions from unexpected sources
  • Monitor for race condition exploitation (concurrent execution using shared resource with improper synchronization) against the confd authentication mechanism on FortiWeb appliances
  • ·Vulnerability affects a wide range of FortiWeb versions; ensure version scope is confirmed before scoping detection — affected versions are 6.4.1, 6.4.0, 6.3.0–6.3.15, 6.2.0–6.2.6, 6.1.0–6.1.2, and 6.0.0–6.0.7
  • ·The vulnerable component is specifically 'confd', the cluster configuration daemon in FortiWeb; detection should be scoped to this service rather than the general web management interface
  • ·Two distinct vulnerability classes are present (CWE-362 race condition and capture-replay); detection and patching strategies should account for both attack vectors independently

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.