CVE-2021-26106

HIGH

FortiAP 6.4.1-6.4.5 and 6.2.4-6.2.5 - Authenticated OS Command Injection via kdbg CLI Command

Title source: llm
STIX 2.1

Description

An improper neutralization of special elements used in an OS Command vulnerability in FortiAP's console 6.4.1 through 6.4.5 and 6.2.4 through 6.2.5 may allow an authenticated attacker to execute unauthorized commands by running the kdbg CLI command with specifically crafted arguments.

References (1)

Core 1
Core References
Vendor Advisory x_refsource_confirm
https://fortiguard.com/advisory/FG-IR-20-210

Scores

CVSS v3 7.8
EPSS 0.0012
EPSS Percentile 30.1%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-78
Status published
Products (3)
fortinet/fortiap 6.4.1 - 6.4.6
fortinet/fortiap-s 6.2.4 - 6.2.6
fortinet/fortiap-w2 6.2.4 - 6.2.6
Published Jul 09, 2021
Tracked Since Feb 18, 2026