Fortinet reports critical command injection vulnerability in FortiSIEM

published: Nov. 16, 2023

Take action: Hopefully your FortiSIEM is isolated and accessible only from trusted networks. If not, lock it down quickly and plan for a patch effort. API requests are not immediately exploitable since some credentials are needed to send requests, but a hacker can compromise another component of the infrastructure and then cascade the exploits to a vulnerable FortiSIEM.

Learn More

Fortinet is warning its customers about a critical vulnerability in the FortiSIEM report server. FortiSIEM, an acronym for Security Information and Event Management is offering organizations enhanced visibility and precise control over their security logging. This software is widely utilized in healthcare, finance, retail, e-commerce, government, and the public domain.

The flaw is tracked as CVE-2023-36553 (CVSS3 score 9.3 by Fortinet and 9.8 by NIST) is described as "improper neutralization issue" and could potentially allow remote and unauthenticated attackers to execute malicious commands through specifically crafted API requests.

Improper neutralization issues occur when software fails to properly sanitize input, including special characters or control elements, before passing it as an accepted OS command to be executed by an interpreter. In this context, the FortiSIEM report server takes API requests and forwards them to the operating system as commands, potentially leading to unauthorized access, modification, or deletion of data.

The affected versions of FortiSIEM encompass releases ranging from 4.7 to 5.4. Fortinet strongly recommends that system administrators upgrade to versions 6.4.3, 6.5.2, 6.6.4, 6.7.6, 7.0.1, or 7.1.0 or later to mitigate this critical vulnerability.

Fortinet reports critical command injection vulnerability in FortiSIEM