Zero-Day Flaw Found in Fortinet’s FortiWeb WAF Technology
Yesterday, researchers at Rapid7 disclosed a new critical zero-day vulnerability uncovered in Fortinet’s FortiWeb Web application firewall technology. According to the security researchers, an attacker could exploit the bug to gain complete control of affected devices. The flaw is an OS command injection vulnerability that allows attackers to remotely execute commands on the host operating system. There is no patch for the flaw yet and it exists in version 6.3.11 and prior to FortiWeb’s Web management interface.
According to the analysis of the bug, an attacker with authenticated access to the interface can leverage the flaw and take a variety of actions that would potentially harm the victim, including installing a persistent shell, deploying crypto-mining software, or other malware. Rapid7 is recommending that organizations operating with the vulnerable version of the technology disable the device management interface from all untrusted networks.