Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Multiple improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerabilities [CWE-78] in Fortinet FortiIsolator version 2.4.0 through 2.4.5 allows an authenticated attacker with at least read-only admin permission and CLI access to execute unauthorized code via specifically crafted CLI commands.
AnalysisAI
in Fortinet FortiIsolator version 2.4.0 versions up to 2.4.5 is affected by os command injection (CVSS 8.8).
Technical ContextAI
This vulnerability (CWE-78: OS Command Injection) affects in Fortinet FortiIsolator version 2.4.0. Multiple improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerabilities [CWE-78] in Fortinet FortiIsolator version 2.4.0 through 2.4.5 allows an authenticated attacker with at least read-only admin permission and CLI access to execute unauthorized code via specifically crafted CLI commands.
Affected ProductsAI
Product: in Fortinet FortiIsolator version 2.4.0. Versions: up to 2.4.5.
RemediationAI
Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.
Fortinet FortiWeb contains a relative path traversal allowing unauthenticated attackers to execute administrative comman
FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote
Fortinet FortiWeb contains an authenticated OS command injection allowing privilege escalation to execute unauthorized c
Fortinet FortiAnalyzer before 5.0.12 and 5.2.x before 5.2.5; FortiSwitch 3.3.x before 3.3.3; FortiCache 3.0.x before 3.0
Buffer overflow in the Cookie parser in Fortinet FortiOS 4.x before 4.1.11, 4.2.x before 4.2.13, and 4.3.x before 4.3.9
A product has a SQL injection vulnerability enabling unauthenticated database compromise through improperly neutralized
Remote code execution in Fortinet FortiClientEMS versions 7.4.5 through 7.4.6 allows unauthenticated attackers to execut
An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in
Fortinet FortiAnalyzer and FortiManager contain a critical authentication bypass vulnerability (CVE-2026-24858, CVSS 9.8
Authentication bypass in Fortinet FortiOS, FortiProxy, and FortiSwitchManager allows unauthenticated remote attackers to
The Gzip file parser in AVG Anti-Virus 10.0.0.1190, Bitdefender 7.2, Command Antivirus 5.2.11.5, Emsisoft Anti-Malware 5
The TAR file parser in AhnLab V3 Internet Security 2011.01.18.00, Avira AntiVir 7.11.1.163, Antiy Labs AVL SDK 2.0.3.7,
Same weakness CWE-78 – OS Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today