CVE-2023-36550: 
FortiWLM vulnerability analysis and mitigation

A critical OS command injection vulnerability (CVE-2023-36550) was discovered in Fortinet FortiWLM versions 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4. The vulnerability was disclosed on October 10, 2023, and allows an attacker to execute unauthorized code or commands through specifically crafted HTTP GET request parameters. This vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command) (NVD, Fortinet Advisory).

The vulnerability stems from improper neutralization of special elements used in OS commands within the FortiWLM GUI component. It has been assigned a Critical severity rating with a CVSS v3.1 base score of 9.8, indicating the highest level of severity. The vulnerability allows for remote exploitation without requiring authentication or user interaction (NVD, Fortinet Advisory).

If successfully exploited, this vulnerability allows remote unauthenticated attackers to execute unauthorized code or commands on the affected system. Given the critical CVSS score and the nature of command injection vulnerabilities, this could potentially lead to complete system compromise (Fortinet Advisory).

Fortinet has released patches to address this vulnerability. Users running FortiWLM version 8.6.0 through 8.6.5 should upgrade to version 8.6.6 or above. Those running version 8.5.0 through 8.5.4 should upgrade to version 8.5.5 or above (Fortinet Advisory).

The vulnerability was discovered and reported by security researcher Zach Hanley (@hacks_zach) of Horizon3.ai under responsible disclosure practices (Fortinet Advisory).