search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Fortinet FortiWAN load balancer appliance contains multiple vulnerabilities

Vulnerability Note VU#724487

Original Release Date: 2016-09-06 | Last Revised: 2016-09-09


The Fortinet FortiWAN (Ascernlink) network load balancer appliance contains multiple vulnerabilities.


According to the reporter, the Fortinet FortiWAN network load balancer appliance contains the following vulnerabilities.

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - CVE-2016-4965

The diagnosis_control.php page is vulnerable to command injection via the "graph" GET parameter. A non-administrative authenticated attacker having access privileges to the nslookup functionality can inject arbitrary operating system commands and execute them in the context of the root user.

CWE-302: Authentication Bypass by Assumed-Immutable Data - CVE-2016-4966

The diagnosis_control.php page has a tcpdump function, that can capture FortiWAN data packets and download captured packets to local host for analysis and debug. A non-administrative authenticated attacker having access privileges to change the HTTP Get param “UserName” to “Administrator” to download a PCAP file of all captured packets from the FortinWAN device since the tcpdump function was activated.

CWE-200: Information Exposure - CVE-2016-4967

An authenticated but low privileged user may obtain a backup of the device configuration by visiting the URL /script/cfg_show.php of the FortiWAN appliance, or a PCAP of tcpdump data by visiting /script/system/tcpdump.php.

CWE-200: Information Exposure - CVE-2016-4968

An authenticated but low privileged user may perform a GET request of the /linkreport/tmp/admin_global page of the FortiWAN appliance, and obtain administrator login cookie.

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CVE-2016-4969

The /script/statistics/getconn.php file's IP parameter is vulnerable to cross-site scripting.

The CVSS score below is based on CVE-2016-4965.


An authenticated but low-privileged (non-administrator) account may be able to execute OS commands in the root context, capture network traffic through the FortiWAN device, obtain appliance system configuration, or conduct cross-site scripting attacks against administrator users.


Apply an update

Fortinet has released FortiWAN 4.2.5 which addresses all issues. For more information, please see the changelog. Affected users are encouraged to update as soon as possible.

Vendor Information


Fortinet, Inc. Affected

Notified:  July 14, 2016 Updated: September 09, 2016

Statement Date:   September 09, 2016



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

FortiWAN version 4.2.5 addresses all vulnerabilities listed in VU#724487. Please see the release notes below for more information.

Vendor References

CVSS Metrics

Group Score Vector
Base 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C
Temporal 8 E:POC/RL:U/RC:UR
Environmental 6.0 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND



Thanks to Virgoteam (Fan-Syun Shih, Kun-Xian Lin, and Yu-Chi Ding) for reporting these vulnerabilities.

This document was written by Garret Wassermann.

Other Information

CVE IDs: CVE-2016-4965, CVE-2016-4966, CVE-2016-4967, CVE-2016-4968, CVE-2016-4969
Date Public: 2016-09-06
Date First Published: 2016-09-06
Date Last Updated: 2016-09-09 17:12 UTC
Document Revision: 28

Sponsored by CISA.