CVE-2021-26110
📋 TL;DR
This vulnerability allows authenticated low-privileged attackers to escalate their privileges to super_admin on affected Fortinet devices. Attackers can exploit improper access control in the autod daemon via crafted CLI scripts. Affected systems include FortiOS versions 7.0.0, 6.4.6 and below, 6.2.9 and below, 6.0.12 and below, and FortiProxy versions 2.0.1 and below, 1.2.9 and below.
💻 Affected Systems
- FortiOS
- FortiProxy
📦 What is this software?
Fortios by Fortinet
Fortios by Fortinet
Fortios by Fortinet
Fortios by Fortinet
Fortios by Fortinet
Fortiproxy by Fortinet
Fortiproxy by Fortinet
Fortiproxy by Fortinet
Fortiproxy by Fortinet
Fortiproxy by Fortinet
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with super_admin privileges, allowing full control over network security policies, user accounts, and device configuration.
Likely Case
Privilege escalation from low-privileged user to administrative access, enabling unauthorized configuration changes and potential lateral movement.
If Mitigated
Limited to authenticated users only, with proper access controls preventing privilege escalation attempts.
🎯 Exploit Status
Requires authenticated access and specific configuration of automation features. No public exploit code available at time of advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: FortiOS 7.0.1, 6.4.7, 6.2.10, 6.0.13; FortiProxy 2.0.2, 1.2.10
Vendor Advisory: https://fortiguard.com/advisory/FG-IR-20-131
Restart Required: Yes
Instructions:
1. Download appropriate firmware version from Fortinet support portal. 2. Backup current configuration. 3. Upload and install firmware update via web interface or CLI. 4. Reboot device after installation.
🔧 Temporary Workarounds
Restrict automation script access
allLimit access to fabric automation and auto-script features to trusted administrators only.
config system admin
edit [username]
set accprofile "prof_admin"
end
Disable unnecessary automation features
allDisable fabric automation CLI script and auto-script features if not required for operations.
config system auto-script
set status disable
end
🧯 If You Can't Patch
- Implement strict access controls and monitor for privilege escalation attempts
- Segment network to limit lateral movement from compromised devices
🔍 How to Verify
Check if Vulnerable:
Check FortiOS/FortiProxy version via CLI: 'get system status' or web interface System > DashboardCheck Version:
get system statusVerify Fix Applied:
Verify version is patched: 'get system status' should show version 7.0.1+, 6.4.7+, 6.2.10+, 6.0.13+ for FortiOS or 2.0.2+, 1.2.10+ for FortiProxy📡 Detection & Monitoring
Log Indicators:
- Unusual privilege escalation events
- Multiple failed authentication attempts followed by successful admin access
- Changes to automation script configurations
Network Indicators:
- Unexpected administrative access from non-admin accounts
- Unusual CLI script execution patterns
SIEM Query:
source="fortigate" AND (event_type="admin_login" OR event_type="config_change") AND user="low_privilege_user"