Fortinet has released a security advisory that addresses a High severity ‘command injection in web interface’ vulnerability in multiple versions of FortiADC.
FortiADC is an advanced Application Delivery Controller (ADC) that offers advanced security capabilities (such as WAF, DDoS, and AV) and application connectors. The solution provides application availability, security and optimization.
A summary of the FortiADC vulnerability (CVE-2022-39947) is described in the Fortinet advisory released on January 3, 2023:
“An improper neutralization of special elements used in an OS Command vulnerability [CWE-78] in FortiADC may allow an authenticated attacker with access to the web GUI to execute unauthorized code or commands via specifically crafted HTTP requests.”
Moreover, the High severity flaw has a CVSS score of 8.6 and affects the following products:
- FortiADC version 7.0.0 through 7.0.2
- FortiADC version 6.2.0 through 6.2.3
- FortiADC version 6.1.0 through 6.1.6
- FortiADC version 6.0.0 through 6.0.4
- FortiADC version 5.4.0 through 5.4.5.
To address the issue, users should upgrade to upcoming FortiADC 7.0.2 or FortiADC 6.2.4 as soon as possible.
- CISA adds 6 vulnerabilities to Known Exploited Vulnerabilities Catalog (to include iOS, Microsoft, Fortinet, Citrix and Veeam vulnerabilities)
- Fortinet patches Critical risk vulnerability (CVE-2021-32589) in FortiOS, FortiProxy and FortiSwitchManager
- Iranian state-sponsored APT actors target Microsoft Exchange and Fortinet vulnerabilities
- Fortinet patches High risk RCE vulnerability (CVE-2021-32589) in FortiManager and FortiAnalyzer
- FBI and CISA warn of Fortinet FortiOS vulnerability exploits