CVE-2021-36194

HIGH

FortiWeb 6.3.0-6.3.15, 6.4.0-6.4.1 - Authenticated Remote Code Execution via API Controller Buffer Overflow

Title source: llm
STIX 2.1

Description

Multiple stack-based buffer overflows in the API controllers of FortiWeb 6.4.1, 6.4.0, and 6.3.0 through 6.3.15 may allow an authenticated attacker to achieve arbitrary code execution via specially crafted requests.

References (1)

Core 1
Core References
Patch, Vendor Advisory x_refsource_confirm
https://fortiguard.com/advisory/FG-IR-21-152

Scores

CVSS v3 8.8
EPSS 0.0076
EPSS Percentile 73.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-787
Status published
Products (3)
fortinet/fortiweb 6.4.0
fortinet/fortiweb 6.4.1
fortinet/fortiweb 6.3.0 - 6.3.15
Published Dec 09, 2021
Tracked Since Feb 18, 2026