Fortinet has patched a Critical risk vulnerability (CVE-2021-32589) in FortiOS, FortiProxy and FortiSwitchManager.
An attacker could exploit the vulnerability to execute unauthorized code or commands to take control of an impacted system.
“An authentication bypass using an alternate path or channel vulnerability [CWE-288] in FortiOS, FortiProxy and FortiSwitchManager may allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests,” Fortinet warned in the advisory.
Fortinet has assigned CVE-2022-40684 Critical severity (CVSS 9.6).
The following Fortinet products are impacted:
- FortiOS : 7.2.1, 7.2.0, 7.0.6, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0
- FortiProxy : 7.2.0, 7.0.6, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0
- FortiSwitchManager : 7.2.0, 7.0.0.
Upgrades and workarounds are available for FortiOS, FortiProxy, and FortiSwitchManager to address the vulnerability.
Related Articles
- Iranian state-sponsored APT actors target Microsoft Exchange and Fortinet vulnerabilities
- FBI and CISA warn of Fortinet FortiOS vulnerability exploits
- Hackers target 50K vulnerable Fortinet devices to steal passwords
- Threat actors breach South Korean atomic research institute via VPN vulnerability
- Alert: Attackers exploiting Pulse Connect Secure vulnerabilities (updated)
- APT actors exploit legacy internet-facing vulnerabilities in combination with Zerologon to target organizations
- APT attackers exploit multiple VPN software vulnerabilities