CVE-2022-27483: 
Fortinet FortiManager vulnerability analysis and mitigation

A command injection vulnerability was discovered in Fortinet FortiManager and FortiAnalyzer products, identified as CVE-2022-27483. The vulnerability affects multiple versions of both products, including FortiManager versions 7.0.0 through 7.0.3, 6.4.0 through 6.4.7, 6.2.x, and 6.0.x, as well as FortiAnalyzer versions 7.0.0 through 7.0.3, 6.4.0 through 6.4.7, 6.2.x, and 6.0.x. The vulnerability was internally discovered by Théo Leleu of the Fortinet Product Security team and was publicly disclosed on July 5, 2022 (Fortinet Advisory).

The vulnerability is classified as an improper neutralization of special elements used in an OS command injection (CWE-78). It allows an authenticated attacker to execute arbitrary shell code as root user through the 'diagnose system' CLI commands. The vulnerability has been assigned a CVSS v3.1 base score of 7.2 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (NVD).

The successful exploitation of this vulnerability allows an attacker to execute arbitrary shell code with root privileges, potentially leading to complete system compromise. Given the elevated privileges obtained through exploitation, an attacker could gain full control over the affected FortiManager and FortiAnalyzer systems (Fortinet Advisory).

Fortinet has released patches to address this vulnerability. Users are advised to upgrade to FortiManager version 7.2.0 or above, version 7.0.4 or above, or version 6.4.8 or above. Similarly, FortiAnalyzer users should upgrade to version 7.2.0 or above, version 7.0.4 or above, or version 6.4.8 or above (Fortinet Advisory).