- Home
- Alerts & Advisories
- Alerts
- Multiple Critical Vulnerabilities in FortiNAC and FortiWeb
Multiple Critical Vulnerabilities in FortiNAC and FortiWeb
19 February 2023
Fortinet has released security updates to address multiple critical vulnerabilities in their FortiNAC and FortiWeb products.
The vulnerabilities are:
CVE-2022-39952: An external control of file name or path vulnerability in FortiNAC webserver leading to unauthorised arbitrary write on the system
CVE-2021-42756: Multiple stack-based buffer overflow vulnerabilities in FortiWeb proxy daemon leading to unauthorised arbitrary code execution via specifically crafted HTTP requests
Successful exploitation of the vulnerabilities could allow an unauthenticated attacker to perform arbitrary code or command execution.
The products affected by the vulnerabilities include:
FortiNAC version 9.4.0
FortiNAC version 9.2.0 through 9.2.5
FortiNAC version 9.1.0 through 9.1.7
FortiNAC 8.8 all versions
FortiNAC 8.7 all versions
FortiNAC 8.6 all versions
FortiNAC 8.5 all versions
FortiNAC 8.3 all versions
FortiWeb versions 5.x all versions
FortiWeb versions 6.0.7 and below
FortiWeb versions 6.1.2 and below
FortiWeb versions 6.2.6 and below
FortiWeb versions 6.3.16 and below
FortiWeb versions 6.4 all versions
Users and administrators of affected product versions are advised to upgrade to the latest versions immediately.
More information is available here:
https://www.fortiguard.com/psirt/FG-IR-22-300
https://www.fortiguard.com/psirt/FG-IR-21-186
https://www.bleepingcomputer.com/news/security/fortinet-fixes-critical-rce-flaws-in-fortinac-and-fortiweb/amp