CVE-2021-43077: 
FortiWLM vulnerability analysis and mitigation

A SQL injection vulnerability (CVE-2021-43077) was discovered in Fortinet FortiWLM affecting versions 8.6.2 and below, 8.5.2 and below, 8.4.2 and below, and 8.3.2 and below. The vulnerability was disclosed on March 1, 2022, and allows authenticated attackers to execute unauthorized code or commands via crafted HTTP requests to the AP monitor handlers (Fortinet Advisory).

The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) with a CVSS v3.1 base score of 8.8 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The issue stems from improper neutralization of special elements in SQL commands within the AP monitor handlers, which could allow an attacker to alter query logic and execute arbitrary SQL statements (NVD).

The vulnerability can lead to unauthorized code execution and commands execution through crafted HTTP requests. The high CVSS score indicates severe potential impacts on confidentiality, integrity, and availability of the affected systems (Fortinet Advisory).

Fortinet has released a fix for this vulnerability. Users are advised to upgrade to FortiWLM version 8.6.3 or above to address the security issue. The vulnerability was internally discovered and reported by Mattia Fecit of Fortinet Product Security team (Fortinet Advisory).