cbcvebase.
CVE-2021-42756
published 2023-02-16

CVE-2021-42756: Multiple stack-based buffer overflow vulnerabilities [CWE-121] in the proxy daemon of FortiWeb 5.x all versions, 6.0.7 and below, 6.1.2 and below, 6.2.6 and…

PriorityP277critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
36.41%
98.3th percentile
Multiple stack-based buffer overflow vulnerabilities [CWE-121] in the proxy daemon of FortiWeb 5.x all versions, 6.0.7 and below, 6.1.2 and below, 6.2.6 and below, 6.3.16 and below, 6.4 all versions may allow an unauthenticated remote attacker to achieve arbitrary code execution via specifically crafted HTTP requests.

Affected

18 ranges
VendorProductVersion rangeFixed in
fortinetfortiweb
fortinetfortiweb>= 5.6.0 < 5.6.*5.6.*
fortinetfortiweb>= 5.6.0 < 6.0.86.0.8
fortinetfortiweb5.6.0 – 5.6.2
fortinetfortiweb>= 5.7.0 < 5.7.*5.7.*
fortinetfortiweb5.7.0 – 5.7.3
fortinetfortiweb>= 5.8.0 < 5.8.*5.8.*
fortinetfortiweb5.8.0 – 5.8.3
fortinetfortiweb5.8.5 – 5.8.7
fortinetfortiweb5.9.0 – 5.9.1
fortinetfortiweb6.0.0 – 6.0.7
fortinetfortiweb>= 6.1.0 < 6.1.36.1.3
fortinetfortiweb6.1.0 – 6.1.2
fortinetfortiweb>= 6.2.0 < 6.2.76.2.7
fortinetfortiweb6.2.0 – 6.2.6
fortinetfortiweb>= 6.3.0 < 6.3.176.3.17
fortinetfortiweb6.3.0 – 6.3.16
fortinetfortiweb6.4.0 – 6.4.2

Detection & IOCsextracted from sources · hover to see the quote

  • Target the FortiWeb proxy daemon process for anomalous activity; specifically crafted HTTP requests triggering stack-based buffer overflows (CWE-121) may indicate exploitation attempts
  • Monitor for unauthenticated inbound HTTP requests to FortiWeb appliances that are abnormally large or malformed, consistent with stack buffer overflow exploitation attempts against the proxy daemon
  • ·All FortiWeb 5.x versions are affected with no patched sub-version available in that branch; FortiWeb 6.4 all versions are also fully affected — ensure these branches are prioritized for upgrade or mitigation
  • ·The vulnerability resides specifically in the proxy daemon component of FortiWeb; detection and mitigation efforts should be scoped to that daemon rather than the broader FortiWeb application
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.