- 02/2023
- High
Fortinet has released security updates to address multiple vulnerabilities across multiple products.
The severity of the addressed vulnerabilities could allow the attacker to gain access, and execute or inject arbitrary code in the management interface or commands via specifically crafted HTTP requests on the affected products.
Sample of the addressed vulnerabilities:
1. FortiADC – Command Injection in Web Interface (CVE-2022-39947):
• CVSS: 8.6
• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: Low
• User Interaction: None
• Consequences: Gain Access
2. FortiTester – Command Injection in GUI and API (CVE-2022-35845):
• CVSS: 7.6
• Attack Vector: Local
• Attack Complexity: Low
• Privileges Required: Low
• User Interaction: None
• Consequences: Gain Access
Sample of the affected products:
• FortiADC version 7.0.0 through 7.0.2.
• FortiTester version 7.0 all versions.
• FortiManager version 7.0.0 through 7.0.1.
• FortiPortal 5.3 all versions.
• FortiWeb version 7.0.0 through 7.0.2.
Vulnerabilities
- CVE-2022-39947
- CVE-2022-35845
- CVE-2022-45857
- CVE-2022-41336
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.