Multiple Vulnerabilities Found in Fortinet Security Products
NJCCIC Advisory
Original Release Date: 1/5/2023
Summary
Fortinet announced that multiple vulnerabilities were found and patched in several of the cybersecurity solutions provider’s products. CVE-2022-39947 (CVSS v3 8.6) is a high-severity flaw affecting multiple versions of the FortiADC web interface. The vulnerability is an improper neutralization of special elements used in an OS command vulnerability in FortiADC that may allow an authenticated threat actor with access to the web GUI to execute unauthorized commands via specifically crafted HTTP requests. CVE-2022-35845 (CVSS v3 7.6) is a collective of command injection vulnerabilities found in GUI and API and affects multiple versions of FortiTester. This vulnerability may allow an authenticated attacker to execute arbitrary commands in the underlying shell. Additional medium-severity vulnerabilities affect FortiWeb, FortiPortal, and FortiManager.
Recommendations
The NJCCIC recommends administrators upgrade to patched versions of impacted Fortinet products immediately after appropriate testing. Further details can be found in the FortiGuard PSIRT Advisories.
The NJCCIC is a component organization within the New Jersey Office of Homeland Security and Preparedness. We are the State's one-stop-shop for cyber threat analysis, incident reporting, and information sharing and are committed to making New Jersey more resilient to cyber threats by spreading awareness and promoting the adoption of best practices.
View our Privacy Policy here.
View our Site Index here.