CVE-2021-26104

Name of the Vulnerable Software and Affected Versions FortiManager versions 6.2.7 and below, 6.4.5 and below FortiManager versions 6.2.x, 6.0.x, 5.6.x FortiAnalyzer versions 6.2.7 and below, 6.4.5 and below FortiAnalyzer versions 6.2.x, 6.0.x, 5.6.x FortiPortal versions 5.2.5 and below, 5.3.5 and below, 6.0.4 and below

Description The command line interface of the affected software has multiple OS command injection vulnerabilities, which may allow a local authenticated and unprivileged user to execute arbitrary shell commands as root via specifically crafted CLI command parameters. This issue is related to the lack of measures to neutralize special elements used in operating system commands.

Recommendations For FortiManager versions 6.2.7 and below, 6.4.5 and below, and all versions of 6.2.x, 6.0.x, and 5.6.x, consider disabling the command line interface until a patch is available. For FortiAnalyzer versions 6.2.7 and below, 6.4.5 and below, and all versions of 6.2.x, 6.0.x, and 5.6.x, consider disabling the command line interface until a patch is available. For FortiPortal versions 5.2.5 and below, 5.3.5 and below, and 6.0.4 and below, consider disabling the command line interface until a patch is available. As a temporary workaround, consider restricting access to the command line interface to minimize the risk of exploitation.