CVE-2021-36185 – This vulnerability allows attackers to execute ... (How to Fix)

Q: What is the severity of CVE-2021-36185?

CVE-2021-36185 has a CVSS score of 8.8 (HIGH). This vulnerability allows attackers to execute arbitrary operating system commands on Fortinet FortiWLM systems by sending specially crafted HTTP requests. It affects FortiWLM version 8.6.1 and earlier. Attackers can potentially gain full control of affected systems.

📋 TL;DR

This vulnerability allows attackers to execute arbitrary operating system commands on Fortinet FortiWLM systems by sending specially crafted HTTP requests. It affects FortiWLM version 8.6.1 and earlier. Attackers can potentially gain full control of affected systems.

💻 Affected Systems

Products:

Fortinet FortiWLM

Versions: 8.6.1 and below

Operating Systems: Fortinet's proprietary OS

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments running affected versions are vulnerable regardless of configuration.

📦 What is this software?

Fortiwlm by Fortinet

View all CVEs affecting Fortiwlm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attacker to install persistent backdoors, steal sensitive data, pivot to other network resources, or deploy ransomware.

🟠

Likely Case

Unauthorized command execution leading to data exfiltration, service disruption, or lateral movement within the network.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent exploitation attempts from reaching vulnerable systems.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability requires no authentication and exploitation is straightforward once the attack vector is identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.6.2 or later

Vendor Advisory: https://fortiguard.com/advisory/FG-IR-21-110

Restart Required: Yes

Instructions:

1. Download FortiWLM version 8.6.2 or later from Fortinet support portal. 2. Backup current configuration. 3. Apply the update following Fortinet's upgrade procedures. 4. Restart the system to complete installation.

🔧 Temporary Workarounds

Network Access Restriction

all

Restrict HTTP/HTTPS access to FortiWLM management interface to trusted IP addresses only.

Configure firewall rules to allow only specific source IPs to access FortiWLM management ports (typically 80/443)

🧯 If You Can't Patch

Isolate FortiWLM systems in a separate network segment with strict access controls
Implement web application firewall (WAF) rules to block OS command injection patterns

🔍 How to Verify

Check if Vulnerable:

Check FortiWLM version via web interface (System > Dashboard) or CLI command 'get system status'

Check Version:

get system status | grep Version

Verify Fix Applied:

Verify version is 8.6.2 or higher and test that command injection attempts are blocked

📡 Detection & Monitoring

Log Indicators:

Unusual command execution in system logs
HTTP requests containing shell metacharacters like ;, |, &, $, `

Network Indicators:

HTTP requests to FortiWLM with suspicious parameters containing shell commands

SIEM Query:

source="fortiwlm" AND (http_request CONTAINS ";" OR http_request CONTAINS "|" OR http_request CONTAINS "$" OR http_request CONTAINS "`")

📊 Metadata

CVE ID: CVE-2021-36185

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: November 2, 2021

Last Updated: November 21, 2024

🔗 References

https://fortiguard.com/advisory/FG-IR-21-110 Vendor Advisory
https://fortiguard.com/advisory/FG-IR-21-110 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-36185, you might also want to check these: