Fortinet fixes critical RCE flaws in FortiNAC and FortiWeb

20 February 2023 [NO.TCSA : 20230220-1-1-P]

PUBLISHED:
20 February 2023

Fortinet fixes critical RCE flaws in FortiNAC and FortiWeb

Fortinet has released security updates for its FortiNAC and FortiWeb products, addressing two critical-severity vulnerabilities that may allow unauthenticated attackers to perform arbitrary code or command execution.

The first flaw, impacting FortiNAC, is tracked as CVE-2022-39952 and has a CVSS v3 score of 9.8 (critical). FortiNAC is a network access control solution that helps organizations gain real-time network visibility, enforce security policies, and detect and mitigate threats.

The second vulnerability impacts FortiWeb is CVE-2021-42756, which has a CVSS v3 score of 9.3 (critical). FortiWeb is a web application firewall (WAF) solution designed to protect web apps and API from cross-site scripting (XSS), SQL injection, bot attacks, DDoS (distributed denial of service), and other online threats.

Strangely, the CVE ID indicates that the vulnerability was discovered in 2021 but was not publicly disclosed until now.

Affected Versions

FortiNAC CVE-2022-39952
  • Cacti versions 1.2.22 and below
  • FortiNAC version 9.4.0
  • FortiNAC version 9.2.0 through 9.2.5
  • FortiNAC version 9.1.0 through 9.1.7
  • FortiNAC 8.8 all versions
  • FortiNAC 8.7 all versions
  • FortiNAC 8.6 all versions
  • FortiNAC 8.5 all versions
  • FortiNAC 8.3 all versions
FortiWeb CVE-2021-42756
  • FortiWeb versions 5.x all versions
  • FortiWeb versions 6.0.7 and below
  • FortiWeb versions 6.1.2 and below
  • FortiWeb versions 6.2.6 and below
  • FortiWeb versions 6.3.16 and below
  • FortiWeb versions 6.4 all versions

Mitigation

  • The FortiNAC CVE-2022-39952 vulnerability is fixed in FortiNAC 9.4.1 and later, 9.2.6 and later, 9.1.8 and later, and 7.2.0 and later.
  • To address the FortiWeb CVE-2021-42756 flaw, admins should test and upgrade to FortiWeb 7.0.0 or later, 6.3.17 or later, 6.2.7 or later, 6.1.3 or later, and 6.0.8 or later.

More Information

16 April 2024 [NO.TCSA : 20240416-1-1-P]

Critical Command Injection Vulnerability Found in Palo Alto Networks GlobalProtect

READ MORE READ MORE
9 February 2024 [NO.TCSA : 20240209-1-1-P]

Critical Remote Code Execution Vulnerability Found in FortiOS SSL VPN

READ MORE READ MORE
13 July 2023 [NO.TCSA : 20230713-1-1-P]

Fortinet Patches Critical Remote Code Execution Vulnerability in FortiOS/FortiProxy

READ MORE READ MORE
Read More BACK TO THREAT BULLETIN