Fortinet has released security updates to address 40 security vulnerabilities affecting its FortiWeb, FortiOS, FortiNAC, and FortiProxy solutions. Two of the 40 vulnerabilities identified are considered critical, and 15 have a high level of importance.
Two of Fortinet’s Vulnerabilities are 9.8/10 Score
The critical vulnerabilities include CVE-2022-39952, a remote code execution (RCE) vulnerability in FortiNAC’s keyUpload script that could allow unauthorized code or commands to be executed by unauthenticated threat actors through specially crafted HTTP requests. The affected versions include FortiNAC 9.4.0, FortiNAC 9.2.0 – 9.2.5, FortiNAC 9.1.0 – 9.1.7, FortiNAC 8.8 all versions, FortiNAC 8.7 all versions, FortiNAC 8.6 all versions, FortiNAC 8.5 all versions, and FortiNAC 8.3 all versions.
The second critical vulnerability, CVE-2021-42756, affects FortiWeb Proxy and is caused by a stack-based buffer overflow vulnerability. This vulnerability could allow an unauthenticated, remote threat actor to execute arbitrary code on vulnerable systems through specially crafted HTTP requests. The affected versions include FortiWeb 5. x all versions, FortiWeb 6.0.7 and below, FortiWeb 6.1.2 and below, FortiWeb 6.2.6 and below, FortiWeb 6.3.16 and below, and all versions of FortiWeb 6.4.
Fortinet has also released security updates for other vulnerabilities affecting FortiADC, FortiExtender, FortiOS, FortiProxy, FortiSwitchManager, FortiWAN, FortiAnalyzer, FortiAuthenticator, FortiPortal, and FortiSandbox. Users are advised to apply the updates promptly to avoid potential attacks exploiting these vulnerabilities.