Fortinet FortiDeceptor Argument Injection Vulnerability Allowing Arbitrary File Deletion

A vulnerability allowing improper neutralization of argument delimiters in a command, known as argument injection, has been identified in Fortinet FortiDeceptor versions 6.2.0, 6.0 (all versions), 5.3 (all versions), 5.2 (all versions), 5.1 (all versions), 5.0 (all versions), 4.3 (all versions), 4.2 (all versions), 4.1 (all versions), and 4.0 (all versions). This vulnerability may enable a privileged attacker with a super-admin profile and CLI access to delete sensitive files by sending crafted HTTP requests.

Impact

Exploitation of this vulnerability could lead to unauthorized deletion of sensitive files via the administrative interface.

Remediation

Users of Fortinet FortiDeceptor 6.2.0 should upgrade to version 6.2.1 or above. Users on FortiDeceptor versions 6.0, 5.3, 5.2, 5.1, 5.0, 4.3, 4.2, 4.1, and 4.0 should migrate to a fixed release.