FortiSIEM 5.2.8 EL Injection / Remote Code Execution

Credit: redtimmysec
Risk: High
Local: No
Remote: Yes

On June 21st 2020 Fortinet has released a security bulletin for its FortiSIEM product: All versions of the product equal to/minor than 5.2.8 are vulnerable to an unauthorized remote command execution via Expression Language injection. The affected component, found and reported by Code White guys, is an old acquaintance of ours: the infamous java library Richfaces. 7 months ago we have publicly released a working proof of concept named Richsploit ( aimed to exploit 4 different Richfaces RCE bugs, including the one mentioned in the Fortinet security bulletin. However, the tool does not work as-is against FortiSIEM <= 5.2.8 as the malicious payload requires some modifications in order to produce the desired effects. We have fixed that and wrote a post about it. Also we have been able to identify several vulnerable instances of FortiSIEM exposed over the internet, even owned by Fortinet itself. We have responsibly reported their presence to the vendor(s). If you are interest, the most relevant details can be consulted from regards

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020,


Back to Top