Summary
An OS Command Injection vulnerability [CWE-78] in FortiWeb API may allow an authenticated attacked to execute arbitrary commands via a specialy crafted HTTP request.
| Version | Affected | Solution |
|---|---|---|
| FortiWeb 8.0 | 8.0.0 through 8.0.1 | Upgrade to 8.0.3 or above |
| FortiWeb 7.6 | 7.6.0 through 7.6.5 | Upgrade to 7.6.7 or above |
| FortiWeb 7.4 | 7.4.0 through 7.4.11 | Upgrade to 7.4.12 or above |
| FortiWeb 7.2 | 7.2.0 through 7.2.12 | Upgrade to upcoming 7.2.13 or above |
| FortiWeb 7.0 | 7.0.0 through 7.0.12 | Upgrade to upcoming 7.0.13 or above |
Workaround:
Disable web vulnerability scan feature visibility to prevent use via the GUI:
# config system feature-visibility
(feature-visibi~i) # set wvs disable
(feature-visibi~i) # end
Use trusted hosts to limit access to the REST API
Acknowledgement
Internally discovered and reported by Loic Pantano of Fortinet PSIRT
Timeline
2026-03-10: Initial publication
