A improper neutralization of special elements used in an os command ('os command injection') vulnerability [CWE-78] in Fortinet FortiWeb CLI version 7.6.0 through 7.6.3 and before 7.4.8 allows a privileged attacker to execute arbitrary code or command via crafted CLI commands.
Fixes

Solution

Please upgrade to FortiWeb version 7.6.4 or above Please upgrade to FortiWeb version 7.4.9 or above


Workaround

No workaround given by the vendor.

History

Fri, 15 Aug 2025 12:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:fortinet:fortiweb:*:*:*:*:*:*:*:*

Thu, 14 Aug 2025 06:30:00 +0000

Type Values Removed Values Added
First Time appeared Fortinet
Fortinet fortiweb
Vendors & Products Fortinet
Fortinet fortiweb
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 12 Aug 2025 19:15:00 +0000

Type Values Removed Values Added
Description A improper neutralization of special elements used in an os command ('os command injection') vulnerability [CWE-78] in Fortinet FortiWeb CLI version 7.6.0 through 7.6.3 and before 7.4.8 allows a privileged attacker to execute arbitrary code or command via crafted CLI commands.
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:F/RL:X/RC:C'}


cve-icon MITRE

Status: PUBLISHED

Assigner: fortinet

Published:

Updated: 2025-08-13T20:13:28.582Z

Reserved: 2025-05-12T13:58:15.236Z

Link: CVE-2025-47857

cve-icon Vulnrichment

Updated: 2025-08-13T14:13:38.730Z

cve-icon NVD

Status : Analyzed

Published: 2025-08-12T19:15:29.997

Modified: 2025-08-15T12:25:37.050

Link: CVE-2025-47857

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-08-13T21:47:44Z