CVE-2021-26102 – A relative path traversal vulnerability in Fort... (How to Fix)

Q: What is the severity of CVE-2021-26102?

CVE-2021-26102 has a CVSS score of 9.8 (CRITICAL). A relative path traversal vulnerability in FortiWAN allows unauthenticated remote attackers to delete system files via crafted POST requests. Deleting specific configuration files resets the admin password to default values. Affects FortiWAN versions 4.5.7 and below, and all 4.4 versions.

📋 TL;DR

A relative path traversal vulnerability in FortiWAN allows unauthenticated remote attackers to delete system files via crafted POST requests. Deleting specific configuration files resets the admin password to default values. Affects FortiWAN versions 4.5.7 and below, and all 4.4 versions.

💻 Affected Systems

Products:

FortiWAN

Versions: 4.5.7 and below, all 4.4 versions

Operating Systems: FortiWAN OS

Default Config Vulnerable: ⚠️ Yes

Notes: All configurations with web management interface accessible are vulnerable.

📦 What is this software?

Fortiwan by Fortinet

View all CVEs affecting Fortiwan →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via admin password reset, allowing attacker to reconfigure the device, intercept traffic, or use as pivot point into internal networks.

🟠

Likely Case

Admin password reset leading to unauthorized administrative access, configuration changes, and potential service disruption.

🟢

If Mitigated

Attack blocked at perimeter, no impact to internal systems.

🌐 Internet-Facing: HIGH - Unauthenticated remote exploit against internet-facing devices.

🏢 Internal Only: MEDIUM - Lower risk if internal network segmentation is strong, but still exploitable from internal networks.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP POST request with path traversal payload, no authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.5.8 or later

Vendor Advisory: https://fortiguard.fortinet.com/psirt/FG-IR-21-048

Restart Required: Yes

Instructions:

1. Download FortiWAN 4.5.8 or later from Fortinet support portal. 2. Backup current configuration. 3. Apply firmware update via web interface or CLI. 4. Reboot device. 5. Verify version after reboot.

🔧 Temporary Workarounds

Restrict Web Interface Access

all

Limit access to FortiWAN web management interface to trusted IP addresses only.

Configure firewall rules to restrict access to FortiWAN management IP/ports (default TCP 443)

🧯 If You Can't Patch

Isolate FortiWAN devices behind firewalls with strict access controls
Implement network segmentation to limit potential lateral movement

🔍 How to Verify

Check if Vulnerable:

Check FortiWAN version via web interface (System > Status) or CLI 'get system status'

Check Version:

get system status | grep Version

Verify Fix Applied:

Verify version is 4.5.8 or later, test with vulnerability scanner or attempt exploitation in controlled environment

📡 Detection & Monitoring

Log Indicators:

HTTP POST requests with path traversal patterns (../ sequences) to FortiWAN management interface
Unauthorized configuration file deletion events

Network Indicators:

Unusual POST requests to FortiWAN management port from unexpected sources
Multiple failed login attempts after password reset

SIEM Query:

source="fortiwan" AND (http_method="POST" AND (uri="*../*" OR status=200 AND bytes>0))

📊 Metadata

CVE ID: CVE-2021-26102

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-305

Published: December 19, 2024

Last Updated: January 21, 2025

🔗 References

https://fortiguard.fortinet.com/psirt/FG-IR-21-048 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-26102, you might also want to check these: