Critical SQL injection and operating system command injection vulnerabilities in Fortinet FortiWLM. Update as soon as possible

Cybersecurity specialists report the detection of two vulnerabilities in FortiWLM, a complete management solution for controllers and access and troubleshooting points developed by Fortinet. According to the report, the successful exploitation of these flaws could lead to complex risk scenarios.

Below are brief descriptions of the reported flaws, in addition to their respective identification keys and scores assigned under the Common Vulnerability Scoring System (CVSS).

CVE-2021-43077: Improper disinfection of user-provided data in AP monitor drivers would allow remote users to send specially crafted requests to the affected application to execute arbitrary SQL commands within the application database.

This is a medium severity vulnerability and received a CVSS score of 7.1/10.

CVE-2021-43075: Incorrect input validation in the alarm panel and driver configuration drivers would allow authenticated remote users to send specially crafted HTTP requests and execute arbitrary commands on the affected operating system.

The vulnerability received a CVSS score of 7.7/10.

According to the report, the flaws reside in the following versions of Forrtinet FortiWLM: 8.6.0 – 8.6.2, 8.4.0 – 8.4.2.

While flaws can be exploited by unauthenticated threat actors, no active exploitation attempts related to these reports have been detected so far. Still, Fortinet’s security teams recommend users of affected deployments upgrade as soon as possible.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.