CVE-2021-44168

LOW KEV

FortiOS < 6.0.14 - Authenticated Arbitrary File Write via Restore Command

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2021-44168 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added December 10, 2021. EIP tracks 1 public exploit from researchers including 0xhaggis.

AI-analyzed exploit summary This exploit leverages CVE-2021-44168 to achieve remote code execution on FortiGate firewalls by crafting a malicious package file that exploits directory traversal during extraction. The payload drops a shell accessible via LD_PRELOAD manipulation, granting root access.

Description

A download of code without integrity check vulnerability in the "execute restore src-vis" command of FortiOS before 7.0.3 may allow a local authenticated attacker to download arbitrary files on the device via specially crafted update packages.

Exploits (1)

nomisec WORKING POC 21 stars
by 0xhaggis · remote
https://github.com/0xhaggis/CVE-2021-44168

This exploit leverages CVE-2021-44168 to achieve remote code execution on FortiGate firewalls by crafting a malicious package file that exploits directory traversal during extraction. The payload drops a shell accessible via LD_PRELOAD manipulation, granting root access.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: FortiGate firewall <= 7.0.2
Auth required
Prerequisites: Access to FortiGate admin CLI · Ability to upload malicious package via TFTP
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 3.3
EPSS 0.0086
EPSS Percentile 53.8%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact partial

Details

CISA KEV 2021-12-10
VulnCheck KEV 2021-12-07
InTheWild.io 2021-12-07
ENISA EUVD EUVD-2021-31018
CWE
CWE-494
Status published
Products (1)
fortinet/fortios < 6.0.14
Published Jan 04, 2022
KEV Added Dec 10, 2021
Tracked Since Feb 18, 2026