cbcvebase.
CVE-2023-48782
published 2023-12-13

CVE-2023-48782: A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWLM version 8.6.0 through 8.6.5 allows attacker…

PriorityP265high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
2.66%
83.8th percentile
A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWLM version 8.6.0 through 8.6.5 allows attacker to execute unauthorized code or commands via specifically crafted http get request parameters

Affected

3 ranges
VendorProductVersion rangeFixed in
fortinetfortinet
fortinetfortiwlm
fortinetfortiwlm8.6.0 – 8.6.5

Detection & IOCsextracted from sources · hover to see the quote

url/ems/cgi-bin/ezrf_switches.cgi
commandop_type=addSwitche
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Fortinet FortiWLM Authenticated Command Injection (CVE-2023-48782)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ems/cgi-bin/ezrf_switches.cgi"; fast_pattern; content:"op_type=addSwitche"; content:"Hostname|3d|"; pcre:"/^[^&]*?[\x3b\x0a\x26\x60\x7c\x24]/R"; reference:url,www.horizon3.ai/attack-research/attack-blogs/fortiwlm-the-almost-story-for-the-forti-forty; reference:cve,2023-48782; classtype:web-application-attack; sid:2058407; rev:1; metadata:affected_product FortiWLM, attack_target Server, tls_state TLSDecrypt, created_at 2024_12_19, cve CVE_2023_48782, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2024_12_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
Hostname= followed by shell metacharacters: 0x3b(;) 0x0a(\n) 0x26(&) 0x60(`) 0x7c(|) 0x24($)
  • Look for authenticated HTTP GET requests targeting /ems/cgi-bin/ezrf_switches.cgi with the op_type=addSwitche parameter and shell metacharacters (;, newline, &, `, |, $) injected into the Hostname parameter value.
  • The injection vector is specifically crafted HTTP GET request parameters, meaning query string inspection (not POST body) is required for detection.
  • The Snort/Suricata rule (ET sid:2058407) is tagged for TLS-decrypted traffic (tls_state TLSDecrypt / deployment SSLDecrypt), so SSL inspection is required to detect exploitation over HTTPS.
  • Additional research reference for exploit details and PoC context: horizon3.ai blog on FortiWLM.
  • ·Vulnerability affects FortiWLM versions 8.6.0 through 8.6.5 only; detections should be scoped to those versions.
  • ·The exploit requires authentication (rule msg states 'Authenticated Command Injection'), so attacker must have valid credentials before triggering the injection.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.