---
licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0)
licence_link: https://creativecommons.org/licenses/by/4.0/
licence_restrictions: https://cert.europa.eu/legal-notice
licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies
title: 'Fortinet Fortiweb Vulnerability'
version: '1.0'
number: '2021-068'
date: 'December 13, 2021'
---

_History:_

* _13/12/2021 --- v1.0 -- Initial publication_

# Summary

On December 7th, Fortinet PSIRT released an advisory to address a heap-based buffer overflow vulnerability in FortiWeb. This vulnerability (CVE-2021-43071) allows an attacker to execute arbitrary code and commands on the affected product [1].

# Technical Details

The vulnerability is due to an heap-based buffer overflow in API v1.0 controller. To exploit this vulnerability, an attacker can send crafted HTTP requests to the `LogAccess` and `LogReport API` controller to execute arbitrary code or commands.

# Affected Products

The affected products are the following:

- FortiWeb version 6.4.1 and below.
- FortiWeb version 6.3.16 and below.
- FortiWeb version 6.2.6 and below.

# Recommendations

CERT-EU strongly recommends to upgrade to the following versions:

- FortiWeb version 7.0.0 or above.
- FortiWeb version 6.4.2 or above.
- FortiWeb version 6.3.17 or above.

Fortinet PSIRT also precise that the fix for FortiWeb versions 6.2 has to be confirmed.

# References

[1] <https://www.fortiguard.com/psirt/FG-IR-21-188>