Critical remote code execution vulnerabilities found in FortiAP

Network security specialists recently reported the finding of a security vulnerability in fortiAP CLI wireless access points developed by California-based technology firm Fortinet. This flaw can be exploited by some remote threat actor to trigger the execution of arbitrary commands on the target system by using specially designed ifconfig commands.

The vulnerability, tracked as CVE-2019-15708 and reported last February 10, allows the execution of arbitrary code on the target system, in addition potential attackers do not require authentication on the target system, so it is considered a serious security flaw.

The vulnerability was reported in a timely manner to Fortinet by NYC Cyber Command researchers.

Regarding potentially affected products, network security specialists mention that these are:

  • FortiAP-S/W2, versions 6.2.1, 6.2.0, 6.0.5 and earlier
  • FortiAP v6.0.5 and earlier
  • FortiAP-U, any version prior to v6.0.0

The tech company has already released the corresponding security patches. Administrators of affected deployments should upgrade to the following versions:

  • FortiAP-S/W2 6.0.6 or 6.2.2
  • FortiAP 6.0.6
  • FortiAP-U 6.0.0

For more information on updates and their installation, visit Fortinet’s official platforms, as well as official platforms for reporting and publicly disclose security vulnerabilities.

Network security threats appear consistently in the products and deployments of all industry members, making it vital for developers, manufacturers, and users to encourage security failure reporting, installation of security updates and other practices that contribute to the creation of a complete security environment.