Security News > 2021 > August > Unpatched Remote Hacking Flaw Disclosed in Fortinet's FortiWeb WAF
Details have emerged about a new unpatched security vulnerability in Fortinet's web application firewall appliances that could be abused by a remote, authenticated attacker to execute malicious commands on the system.
"An OS command injection vulnerability in FortiWeb's management interface can allow a remote, authenticated attacker to execute arbitrary commands on the system, via the SAML server configuration page," cybersecurity firm Rapid7 said in an advisory published Tuesday.
Fortinet is expected to release a patch at the end of August with version Fortiweb 6.4.1.
The command injection flaw is yet to be assigned a CVE identifier, but it has a severity rating of 8.7 on the CVSS scoring system.
Successful exploitation of the vulnerability can allow authenticated attackers to execute arbitrary commands as the root user on the underlying system via the SAML server configuration page.
Although there is no evidence that the new security issue has been exploited in the wild, it's worth noting that unpatched Fortinet servers have been a lucrative target for financially motivated and state-sponsored threat actors alike.