CVE-2021-24016

LOW

Fortinet FortiManager <6.4.3 - Command Injection

Title source: llm

Description

An improper neutralization of formula elements in a csv file in Fortinet FortiManager version 6.4.3 and below, 6.2.7 and below allows attacker to execute arbitrary commands via crafted IPv4 field in policy name, when exported as excel file and opened unsafely on the victim host.

References (1)

[Vendor Advisory] https://fortiguard.com/advisory/FG-IR-20-190

Scores

CVSS v3 3.7

EPSS 0.0014

EPSS Percentile 34.2%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-1236

Status published

Products (1)

fortinet/fortimanager < 6.2.8

Published Sep 30, 2021

Tracked Since Feb 18, 2026