Fortinet, a global leader in cybersecurity, has addressed a high-severity OS command injection vulnerability, tracked as CVE-2023-42788, affecting multiple products, including FortiManager, FortiAnalyzer, FortiAnalyzer-BigData, and recently confirmed FortiAnalyzer-Cloud. Classified under CWE-78, the vulnerability allows local attackers with low privileges to execute unauthorized OS commands by passing specially crafted arguments to certain CLI commands. Originally disclosed by a Researcher, the flaw has been responsibly reported, with Fortinet confirming its relation to a prior vulnerability, CVE-2021-26104, that had an incomplete fix.

The vulnerability resides in specific CLI commands like diagnose system export umlog ftp and fmwslog, which fail to properly sanitize parameters, opening the door for exploitation. Attackers can leverage tar command options such as --checkpoint and --checkpoint-action to spawn a root shell, thereby escalating privileges and compromising system integrity. A working proof-of-concept confirms the practicality of this exploit, emphasizing its criticality. This vulnerability has been assigned a CVSSv3 score of high, denoting a high-risk threat due to its potential for complete system takeover without user interaction.

Fortinet has released a detailed advisory outlining the affected versions and recommended mitigations. FortiManager Cloud versions 7.2.1 to 7.2.3 and 7.0.1 to 7.0.8 are affected, with fixes available in 7.2.4 and 7.0.9, respectively. All versions of 6.4 require migration to a fixed release, while version 7.4 is unaffected. Organizations using these products are urged to upgrade immediately, as outlined, to mitigate the risk of exploitation. Alongside patching, implementing strict local access controls, log monitoring, and conducting regular security audits is strongly advised.

The timeline of this vulnerability spans several updates: initially reported on May 31, 2023, fixed on October 10, 2023, and later updates issued on January 27, 2025 (adding FortiAnalyzer and FortiAnalyzer-BigData), May 13, 2025 (FortiManager Cloud), and June 10, 2025 (FortiAnalyzer-Cloud). This extended timeline demonstrates Fortinet’s ongoing efforts to comprehensively address and communicate the risks, reflecting a commitment to transparent vulnerability management and collaboration with the security research community.