Fortinet Products Excluding FortiWeb Privilege Escalation Vulnerability via Externally-Controlled Format Strings

A vulnerability allowing privilege escalation through the use of externally-controlled format strings has been identified in multiple Fortinet products. This issue affects FortiOS versions 7.4.0 to 7.4.4, 7.2.0 to 7.2.9, 7.0.0 to 7.0.15, and versions prior to 6.4.15. FortiProxy versions 7.4.0 to 7.4.6, 7.2.0 to 7.2.12, and versions prior to 7.0.19 are also affected. Additionally, FortiPAM and FortiSRA versions 1.4.0 to 1.4.2 and prior to 1.3.1 are vulnerable. FortiWeb versions 7.4.0 to 7.4.5, 7.2.0 to 7.2.10, and versions prior to 7.0.10 are impacted as well. This vulnerability allows a privileged attacker to execute unauthorized code or commands by sending specially crafted HTTP or HTTPS requests.

Impact

Exploitation of this vulnerability could lead to unauthorized code execution or command execution with elevated privileges.