Full Report
Proof-of-concept exploits have been released for a critical SQLi vulnerability in Fortinet FortiWeb that can be used to achieve pre-authenticated remote code execution on vulnerable servers. [...]
Analysis Summary
# Vulnerability: Pre-Authentication Remote Code Execution in Fortinet FortiWeb via SQL Injection
## CVE Details
- CVE ID: Not explicitly provided in the text, but implied by the urgent patching advice following the description of a critical flaw. *Note: A specific CVE ID is missing from the source material.*
- CVSS Score: Implied Critical (due to unauthenticated RCE).
- CWE: CWE-89 (Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'))
## Affected Systems
- Products: Fortinet FortiWeb
- Versions: Not specified in the provided text. Users must refer to Fortinet advisories for specific vulnerable versions.
- Configurations: Any configuration where the affected endpoint is reachable.
## Vulnerability Description
The vulnerability is a critical Remote Code Execution (RCE) flaw stemming from an SQL Injection (SQLi) vulnerability within the product's HTTP request headers. Specifically, attackers can inject malicious SQL payloads into the `Authorization` header when making requests to the `_/api/fabric/device/status_` endpoint. This SQLi allows unauthenticated attackers to bypass authentication checks. Researchers leveraged this SQLi to execute MySQL's `SELECT … INTO OUTFILE` query, enabling them to write arbitrary files to the device. They successfully used this capability to drop a Python `.pth` file into the `site-packages` directory, which is automatically executed when a legitimate FortiWeb CGI Python script (`/cgi-bin/ml-draw.py`) runs, leading to RCE.
## Exploitation
- Status: Exploits released/Public PoCs available. While the article states there is *no indication* of active exploitation at the time of writing, the release of public exploits makes immediate compromise highly likely.
- Complexity: Low (Pre-authentication, simple header injection).
- Attack Vector: Network
## Impact
- Confidentiality: High (Potential for full system compromise)
- Integrity: High (Potential for full system compromise and data tampering)
- Availability: High (Potential for system outage or full compromise)
## Remediation
### Patches
- **Action Required:** Users are strongly advised to install the relevant patches released by Fortinet immediately. (Specific patch versions are not listed in this summary and must be confirmed via the vendor advisory.)
### Workarounds
- If patching is not immediately possible, restrict access to the vulnerable endpoint (`_/api/fabric/device/status_`) or the FortiWeb management interface from untrusted networks.
## Detection
- **Indicators of Compromise (IoCs):** Look for unexpected file creation, specifically Python `.pth` files in the FortiWeb `site-packages` directory, or execution traces related to `/cgi-bin/ml-draw.py` initiated by external HTTP requests containing SQL fragments in authorization headers.
- **Detection Methods and Tools:** Utilize Web Application Firewalls (WAF) or Intrusion Detection/Prevention Systems (IDS/IPS) configured to inspect HTTP headers for SQL syntax strings targeting the specified endpoint. Monitor application logs for authentication bypass attempts or unexpected process execution related to Python library loading.
## References
- Vendor advisories: Consult official Fortinet security bulletin for this vulnerability.
- Relevant links:
- bleepingcomputer com/news/security/exploits-for-pre-auth-fortinet-fortiweb-rce-flaw-released-patch-now/