CVE-2023-36548
published 2023-10-10CVE-2023-36548: A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through…
PriorityP270critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.11%
79.4th percentile
A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4 allows attacker to execute unauthorized code or commands via specifically crafted http get request parameters.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fortinet | fortinet | — | — |
| fortinet | fortiwlm | — | — |
| fortinet | fortiwlm | 8.5.0 – 8.5.4 | — |
| fortinet | fortiwlm | 8.6.0 – 8.6.5 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability is triggered via crafted HTTP GET request parameters — monitor for anomalous or malformed GET request parameters targeting FortiWLM endpoints ↗
- →OS command injection (CWE-78) in FortiWLM — inspect GET request parameters for shell metacharacters or command injection payloads on FortiWLM management interfaces ↗
- ·Affected versions are FortiWLM 8.6.0–8.6.5 and 8.5.0–8.5.4; ensure detection and patching scope covers both branches ↗
- ·This CVE is part of a cluster of related FortiWLM vulnerabilities (CVE-2023-34993, CVE-2023-36547, CVE-2023-36548, CVE-2023-36549, CVE-2023-36550) — treat as a broader attack surface requiring holistic remediation ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-w468-8qwj-58hh: A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWLM version 8
ghsa_unreviewed·2023-10-10
CVE-2023-36548 [CRITICAL] CWE-78 GHSA-w468-8qwj-58hh: A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWLM version 8
A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4 allows attacker to execute unauthorized code or commands via specifically crafted http get request parameters.
Fortinet
A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWLM versio...
vendor_fortinet·2023-10-10·CVSS 9.8
CVE-2023-34993 [CRITICAL] CWE-78 A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWLM versio...
FG-IR-23-140: A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWLM versio...
A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4 allows attacker to execute unauthorized code or commands via specifically crafted http get request parameters.
CVEs: CVE-2023-34993, CVE-2023-36547, CVE-2023-36548, CVE-2023-36549, CVE-2023-36550
CWEs: CWE-78
CVSS: 9.8 (critical)
Affected products: FortiWLM, FortiWlm, Fortinet
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-10-10
Published