6th January 2023
FortiADC Authenticated RCE Vulnerability
Fortinet has released a security bulletin for an authenticated remote code execution vulnerability in FortiADC.
CVE-2022-39947 (CVSS v3: 8.6 – High) is caused by improper neutralization of special elements and allows authenticated remote attackers with access to the web GUI to execute arbitrary code via specifically crafted HTTP requests.
Affected Products
FortiADC version 7.0.0 through 7.0.1
FortiADC version 6.2.0 through 6.2.3
FortiADC version 5.4.0 through 5.4.5
FortiADC all versions 6.1
FortiADC all versions 6.0
Security Patches
FortiADC 7.x should be upgraded to 7.0.2 or above
FortiADC 6.x should be upgraded to 6.2.4 or above
FortiADC 5.x will have an upgrade for 5.4.6 soon
More Vulnerabilities
CVE-2022-35845 (CVSS v3: 7.6 – High) – FortiTester – Multiple command injection vulnerabilities in GUI and API
CVE-2022-41336 (CVSS v3: 6.6 – Medium) – FortiPortal – XSS observed on policy column settings
CVE-2022-45857 (CVSS v3: 6.0 – Medium) – FortiManager – Incorrect user management behavior leads to passwordless admin