Fortinet fixes critical RCE flaws in FortiNAC and FortiWeb

PUBLISHED:
20 February 2023

Fortinet fixes critical RCE flaws in FortiNAC and FortiWeb

Fortinet has released security updates for its FortiNAC and FortiWeb products, addressing two critical-severity vulnerabilities that may allow unauthenticated attackers to perform arbitrary code or command execution.

The first flaw, impacting FortiNAC, is tracked as CVE-2022-39952 and has a CVSS v3 score of 9.8 (critical). FortiNAC is a network access control solution that helps organizations gain real-time network visibility, enforce security policies, and detect and mitigate threats.

The second vulnerability impacts FortiWeb is CVE-2021-42756, which has a CVSS v3 score of 9.3 (critical). FortiWeb is a web application firewall (WAF) solution designed to protect web apps and API from cross-site scripting (XSS), SQL injection, bot attacks, DDoS (distributed denial of service), and other online threats.

Strangely, the CVE ID indicates that the vulnerability was discovered in 2021 but was not publicly disclosed until now.

Affected Versions

FortiNAC CVE-2022-39952

Cacti versions 1.2.22 and below
FortiNAC version 9.4.0
FortiNAC version 9.2.0 through 9.2.5
FortiNAC version 9.1.0 through 9.1.7
FortiNAC 8.8 all versions
FortiNAC 8.7 all versions
FortiNAC 8.6 all versions
FortiNAC 8.5 all versions
FortiNAC 8.3 all versions

FortiWeb CVE-2021-42756

FortiWeb versions 5.x all versions
FortiWeb versions 6.0.7 and below
FortiWeb versions 6.1.2 and below
FortiWeb versions 6.2.6 and below
FortiWeb versions 6.3.16 and below
FortiWeb versions 6.4 all versions

Mitigation

The FortiNAC CVE-2022-39952 vulnerability is fixed in FortiNAC 9.4.1 and later, 9.2.6 and later, 9.1.8 and later, and 7.2.0 and later.
To address the FortiWeb CVE-2021-42756 flaw, admins should test and upgrade to FortiWeb 7.0.0 or later, 6.3.17 or later, 6.2.7 or later, 6.1.3 or later, and 6.0.8 or later.

More Information

FortiNAC CVE-2022-39952 – https://www.fortiguard.com/psirt/FG-IR-22-300
FortiWeb CVE-2021-42756 – https://www.fortiguard.com/psirt/FG-IR-21-186

9 February 2024 [NO.TCSA : 20240209-1-1-P]

Critical Remote Code Execution Vulnerability Found in FortiOS SSL VPN

Fortinet fixes critical RCE flaws in FortiNAC and FortiWeb

PUBLISHED:
20 February 2023

Fortinet fixes critical RCE flaws in FortiNAC and FortiWeb

Affected Versions

FortiNAC CVE-2022-39952

FortiWeb CVE-2021-42756

Mitigation

9 February 2024 [NO.TCSA : 20240209-1-1-P]

Critical Remote Code Execution Vulnerability Found in FortiOS SSL VPN

13 July 2023 [NO.TCSA : 20230713-1-1-P]

Fortinet Patches Critical Remote Code Execution Vulnerability in FortiOS/FortiProxy

23 June 2023 [NO.TCSA : 20230623-1-1-P]

WSO2 Releases Patches for Vulnerabilities in API Manager, Identity Server, and Other Products

Fortinet fixes critical RCE flaws in FortiNAC and FortiWeb

PUBLISHED: 20 February 2023

Fortinet fixes critical RCE flaws in FortiNAC and FortiWeb

Affected Versions

FortiNAC CVE-2022-39952

FortiWeb CVE-2021-42756

Mitigation

9 February 2024 [NO.TCSA : 20240209-1-1-P]

Critical Remote Code Execution Vulnerability Found in FortiOS SSL VPN

13 July 2023 [NO.TCSA : 20230713-1-1-P]

Fortinet Patches Critical Remote Code Execution Vulnerability in FortiOS/FortiProxy

23 June 2023 [NO.TCSA : 20230623-1-1-P]

WSO2 Releases Patches for Vulnerabilities in API Manager, Identity Server, and Other Products

PUBLISHED:
20 February 2023