CVE-2021-24016

Name of the Vulnerable Software and Affected Versions: Fortinet FortiManager versions 6.4.3 and below Fortinet FortiManager versions 6.2.7 and below

Description: The issue is related to the improper neutralization of formula elements in a csv file. This allows an attacker to execute arbitrary commands via a crafted IPv4 field in the policy name when the file is exported as an Excel file and opened unsafely on the victim host.

Recommendations: For Fortinet FortiManager versions 6.4.3 and below, consider updating to a version above 6.4.3 to resolve the issue. For Fortinet FortiManager versions 6.2.7 and below, consider updating to a version above 6.2.7 to resolve the issue. As a temporary workaround, consider avoiding the export of policy names with crafted IPv4 fields to Excel files until a patch is available. Restrict access to the csv file export feature to minimize the risk of exploitation.