Fortinet releases security update for High severity FortiADC vulnerability (CVE-2022-39947)

Fortinet has released a security advisory that addresses a High severity ‘command injection in web interface’ vulnerability in multiple versions of FortiADC.

FortiADC is an advanced Application Delivery Controller (ADC) that offers advanced security capabilities (such as WAF, DDoS, and AV) and application connectors. The solution provides application availability, security and optimization.

A summary of the FortiADC vulnerability (CVE-2022-39947) is described in the Fortinet advisory released on January 3, 2023:

An improper neutralization of special elements used in an OS Command vulnerability [CWE-78] in FortiADC may allow an authenticated attacker with access to the web GUI to execute unauthorized code or commands via specifically crafted HTTP requests.”

Moreover, the High severity flaw has a CVSS score of 8.6 and affects the following products:

  • FortiADC version 7.0.0 through 7.0.2
  • FortiADC version 6.2.0 through 6.2.3
  • FortiADC version 6.1.0 through 6.1.6
  • FortiADC version 6.0.0 through 6.0.4
  • FortiADC version 5.4.0 through 5.4.5.

To address the issue, users should upgrade to upcoming FortiADC 7.0.2 or FortiADC 6.2.4 as soon as possible.

Related Articles