Successfully, the equipment’s Apache configuration forwards the crafted request into “fwbcgi,” bypassing anticipated protections.
As soon as the attacker reaches the CGI backend, they exploit a second design flaw–the cgi_auth() operate blindly processes an “HTTP_CGIINFO” header offered by the shopper. The JSON fields within the header settle for username, profname, vdom, and loginname with out correct checks, leading to an unauthenticated attacker impersonating any admin account and gaining full admin privileges.
Mixed, these steps enable full distant code execution with no credentials. The trail traversal opens the door, and the header spoofing units the assault in movement. Fortinet assigned the flaw a severity ranking of 9.1 out of 10, whereas researchers at Picus suppose it ought to be 9.8.
