14 DAY TRIAL // FortiWeb, Fortinet's web application firewall (WAF), is vulnerable to an unpatched command-injection security vulnerability that permits privilege escalation as well as device takeover, according to Rapid7.
FortiWeb is a cybersecurity defense platform designed to defend business-critical online applications from unforeseen vulnerabilities and is regularly updated to keep up with new online APIs. Then again, nothing is safe nowadays, as the FortiWeb management interface, versions 6.3.11 and earlier seem to be exposed.
According to Rapid7 researcher, William Vu, a remote, authorized attacker can perform arbitrary commands on the system due to a new vulnerability identified. Essentially, a threat actor can use the flaw to take full control and install harmful software, crypto miners or a permanent shell. For the attack to succeed, the threat actor must first gain access to the FortiWeb device's management interface. Vu states that this can be done by entering backticks commands in the Name field on the device's SAML server configuration page as the root user.
There is no evidence yet that the vulnerability has been exploited in the wild
While there is no indication that the newly found security flaw has been exploited in the wild, it is important to remember that unpatched Fortinet servers have always been a profitable target for financially motivated and state-sponsored threats. Fortinet FortiOS servers have been targeted by Advanced Persistent Threat groups that have exploited vulnerabilities CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591 to compromise systems of government and commercial organizations. The FBI and CISA issued a joint alert on the issue 5 months ago.
Rapid7 provided the following remediation advice: "In the absence of a patch, users are advised to disable the FortiWeb device's management interface from untrusted networks, which would include the internet” [...] “Generally speaking, management interfaces for devices like FortiWeb should not be exposed directly to the internet anyway — instead, they should be reachable only via trusted, internal networks, or over a secure VPN connection".