Effectively, the appliance’s Apache configuration forwards the crafted request into “fwbcgi,” bypassing expected protections.
Once the attacker reaches the CGI backend, they exploit a second design flaw–the cgi_auth() function blindly processes an “HTTP_CGIINFO” header provided by the client. The JSON fields in the header accept username, profname, vdom, and loginname without proper checks, resulting in an unauthenticated attacker impersonating any admin account and gaining full admin privileges.
Combined, these steps allow full remote code execution with no credentials. The path traversal opens the door, and the header spoofing sets the attack in motion. Fortinet assigned the flaw a severity rating of 9.1 out of 10, while researchers at Picus think it should be 9.8.
