CVE-2022-27486

Summary

A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiDDoS version 5.5.0 through 5.5.1, 5.4.2 through 5.4.0, 5.3.0 through 5.3.1, 5.2.0, 5.1.0, 5.0.0, 4.7.0, 4.6.0 and 4.5.0 and FortiDDoS-F version 6.3.0 through 6.3.1, 6.2.0 through 6.2.2, 6.1.0 through 6.1.4 allows an authenticated attacker to execute shell code as root via execute CLI commands.

Affected Software

VendorProductVersion RangeStatus
FortinetFortiDDoS5.7.0affected
FortinetFortiDDoS5.5.0 <= 5.5.1affected
FortinetFortiDDoS5.4.0 <= 5.4.2affected
FortinetFortiDDoS5.3.0 <= 5.3.2affected
FortinetFortiDDoS5.2.0affected
FortinetFortiDDoS5.1.0affected
FortinetFortiDDoS5.0.0affected
FortinetFortiDDoS4.7.0affected
FortinetFortiDDoS4.6.0affected
FortinetFortiDDoS4.5.0affected
FortinetFortiDDoS-F6.5.0affected
FortinetFortiDDoS-F6.4.0 <= 6.4.1affected
FortinetFortiDDoS-F6.3.0 <= 6.3.4affected
FortinetFortiDDoS-F6.2.0 <= 6.2.2affected
FortinetFortiDDoS-F6.1.0 <= 6.1.5affected

Weaknesses

  • CWE-78: Improper access control

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References