CVE-2022-27489

CVE Database · CVE-2022-27489

CVE-2022-27489

· HIGHModified

CVSS v3.1

7.2

EPSS

1.53%

Published

Feb 16, 2023

Modified

Nov 21, 2024

Public PoC / Exploit (1)

All weaponized →

TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiExtender 7.0.0 through 7.0.3, 5.3.2, 4.2.4 and below allows attacker to execute unauthorized code or commands via crafted HTTP requests.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-78CWE-78

Affected Products (12)

fortinet · fortiextender_firmware (up to 3.2.4)vulnerable

fortinet · fortiextender_firmware (up to 3.3.3)vulnerable

fortinet · fortiextender_firmware (up to 4.1.9)vulnerable

fortinet · fortiextender_firmware (up to 4.2.5)vulnerable

fortinet · fortiextender_firmware (up to 7.0.4)vulnerable

fortinet · fortiextender_firmwarevulnerable

fortinet · fortiextender_firmware

References (2)

https://fortiguard.com/psirt/FG-IR-22-048

Vendor Advisory

https://fortiguard.com/psirt/FG-IR-22-048

Vendor Advisory

KEV Catalog EPSS Scores Vendors All CVEs