banner logoJoin us at RSAC™ 2026 Conference, March 23–March 26 | North Expo, Booth N-5863Join us at RSAC™ 2026, March 23–March 26Learn More
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI Security Portfolio
      Leading the Way in AI-Powered Security Solutions
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2021-22123

CVE-2021-22123: Fortinet FortiWeb RCE Vulnerability

CVE-2021-22123 is a remote code execution vulnerability in Fortinet FortiWeb that allows authenticated attackers to execute arbitrary commands via the SAML server configuration page. This article covers technical details, affected versions, impact, and mitigation strategies.

Published: February 25, 2026

CVE-2021-22123 Overview

CVE-2021-22123 is an OS command injection vulnerability affecting Fortinet FortiWeb's management interface. This flaw enables a remote authenticated attacker to execute arbitrary commands on the underlying system via the SAML server configuration page. Command injection vulnerabilities of this nature are particularly dangerous in web application firewalls like FortiWeb, as successful exploitation can lead to complete system compromise and lateral movement within enterprise networks.

Critical Impact

Authenticated attackers can execute arbitrary system commands on FortiWeb appliances, potentially leading to full device takeover, data exfiltration, and network compromise.

Affected Products

  • Fortinet FortiWeb version 6.3.7 and below
  • Fortinet FortiWeb version 6.2.3 and below
  • Fortinet FortiWeb versions 6.1.x, 6.0.x, 5.9.x

Discovery Timeline

  • 2021-06-01 - CVE-2021-22123 published to NVD
  • 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2021-22123

Vulnerability Analysis

This vulnerability resides in the SAML server configuration page within FortiWeb's management interface. The flaw stems from improper input validation (CWE-78: Improper Neutralization of Special Elements used in an OS Command), allowing user-supplied input to be passed directly to system shell commands without adequate sanitization.

The attack requires network access to the management interface and valid authentication credentials. Once authenticated, an attacker can inject malicious commands through the SAML configuration parameters, which are then executed with the privileges of the FortiWeb system process. This can result in complete confidentiality, integrity, and availability compromise of the affected device.

Root Cause

The root cause is insufficient input validation and sanitization in the SAML server configuration handler. User-controlled input is concatenated into OS command strings and executed without proper escaping or validation. This classic command injection pattern allows metacharacters and command separators (such as ;, |, &&, or backticks) to break out of the intended command context and execute arbitrary commands.

Attack Vector

The attack vector is network-based, targeting the FortiWeb management interface. An attacker must first obtain valid credentials through phishing, credential stuffing, or other means. Once authenticated, the attacker navigates to the SAML server configuration page and injects malicious payloads into vulnerable input fields. The injected commands execute on the underlying operating system, potentially allowing the attacker to:

  • Read sensitive configuration files and credentials
  • Modify firewall rules and security policies
  • Install persistent backdoors
  • Pivot to other network resources
  • Exfiltrate sensitive data passing through the WAF

The vulnerability mechanism involves insufficient sanitization of user input in the SAML server configuration page. When an authenticated user submits configuration data, the application processes these values and incorporates them into shell commands without proper escaping. Attackers can leverage shell metacharacters to terminate the intended command and append malicious instructions. For detailed technical information, refer to the FortiGuard Security Advisory.

Detection Methods for CVE-2021-22123

Indicators of Compromise

  • Unusual process execution originating from FortiWeb management processes
  • Unexpected outbound network connections from the FortiWeb appliance
  • Modified system files or new unauthorized files in system directories
  • Suspicious entries in authentication logs showing repeated SAML configuration access
  • Evidence of reverse shell connections or command-and-control traffic

Detection Strategies

  • Monitor FortiWeb management interface access logs for unusual SAML configuration page activity
  • Implement network detection rules for common command injection patterns in HTTP traffic
  • Deploy SIEM rules to correlate multiple failed authentication attempts followed by SAML configuration changes
  • Enable enhanced logging on FortiWeb appliances to capture detailed request parameters
  • Use file integrity monitoring to detect unauthorized changes to system files

Monitoring Recommendations

  • Restrict management interface access to trusted networks and IP addresses
  • Implement continuous monitoring of FortiWeb system processes for anomalous child process spawning
  • Configure alerts for administrative actions on SAML configuration pages
  • Review authentication logs regularly for suspicious login patterns
  • Deploy network traffic analysis to detect command injection attempts and data exfiltration

How to Mitigate CVE-2021-22123

Immediate Actions Required

  • Upgrade FortiWeb to version 6.3.8 or later, 6.2.4 or later, or the latest available patched version
  • Restrict access to the FortiWeb management interface to trusted IP addresses only
  • Review and audit all administrative accounts for unauthorized access
  • Enable multi-factor authentication for management interface access
  • Monitor for indicators of compromise on all FortiWeb appliances

Patch Information

Fortinet has released security updates to address this vulnerability. Organizations should consult the FortiGuard Security Advisory FG-IR-20-120 for specific patch versions and upgrade instructions. All affected versions should be upgraded to the following minimum patched versions:

  • FortiWeb 6.3.x: Upgrade to 6.3.8 or later
  • FortiWeb 6.2.x: Upgrade to 6.2.4 or later
  • FortiWeb 6.1.x, 6.0.x, 5.9.x: Upgrade to a supported patched version

Workarounds

  • Isolate the FortiWeb management interface on a dedicated management VLAN
  • Implement strict firewall rules limiting management access to authorized administrator workstations
  • Use VPN connections for remote management access instead of exposing the interface directly
  • Disable SAML authentication if not required for operations
  • Deploy a jump server or bastion host for administrative access to FortiWeb appliances
bash
# Example: Restrict management interface access via firewall rules
# Limit management access to specific trusted IP ranges

# On network firewall, allow only trusted admin IPs to FortiWeb management port
iptables -A INPUT -p tcp --dport 443 -s 10.10.10.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP

# Verify FortiWeb firmware version
# Login to FortiWeb CLI and run:
# get system status

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeRCE
  • Vendor/TechFortinet Fortiweb
  • SeverityHIGH
  • CVSS Score8.8
  • EPSS Probability80.50%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-78
  • Vendor Resources
  • FortiGuard Security Advisory
  • Related CVEs
  • CVE-2025-66178: Fortinet FortiWeb RCE Vulnerability
  • CVE-2026-24640: Fortinet FortiWeb RCE Vulnerability
  • CVE-2025-58034: Fortinet FortiWeb RCE Vulnerability
  • CVE-2025-48840: Fortinet FortiWeb Auth Bypass Vulnerability
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • English
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use