Fortinet has issued a warning to its customers about a critical OS command injection vulnerability identified as CVE-2023-36553 in its FortiSIEM report server. The flaw could be exploited by a remote, unauthenticated attacker to execute unauthorized commands by sending specially crafted API requests. The advisory from the vendor stated, “An improper neutralization of special elements used in an OS Command vulnerability [CWE-78] in FortiSIEM report server may allow a remote unauthenticated attacker to execute unauthorized commands via crafted API requests.”
FortiSIEM, a security information and event management (SIEM) solution by Fortinet, collects, aggregates, and correlates log data from various sources across the network. The vulnerability in question was discovered by Adham El karn, a member of the Fortinet Product Security team. The flaw impacts Fortinet FortiSIEM versions 5.4.0, 5.3.0 through 5.3.3, 5.2.5 through 5.2.8, 5.2.1 through 5.2.2, 5.1.0 through 5.1.3, 5.0.0 through 5.0.1, 4.10.0, 4.9.0, and 4.7.2.
The vulnerability was internally identified as a variant of another issue, CVE-2023-34992, which also involved improper neutralization of special elements used in an OS command (‘os command injection’) in FortiSIEM versions 7.0.0, 6.7.0 through 6.7.5, 6.6.0 through 6.6.3, 6.5.0 through 6.5.1, and 6.4.0 through 6.4.2. Fortinet addressed the vulnerability in early October. It remains unclear whether the vulnerability is being actively exploited in the wild.