Let's Talk

Fortinet provides critical security updates for 40 vulnerabilities in its products, including FortiWeb, FortiOS, FortiNAC and FortiProxy.

Updated Fri, April 14, 2023 4:28 EST

Fortinet has just released critical security updates to address 40 vulnerabilities in their software collection, such as FortiWeb, FortiOS, FortiNAC and more. Two of the flaws have been rated Critical while 15 are High severity-level issues. Additionally, there are 22 Medium-rated bugs and one Low severity bug detected among them all. The highest risk is a severe vulnerability existing within the FortiNAC network access control solution (CVE-2022-39952; CVSS score: 9.8) which could potentially enable arbitrary code execution if exploited correctly by an attacker! "An external control of file name or path vulnerability [CWE-73] in FortiNAC web server may allow an unauthenticated attacker to perform arbitrary write on the system," Fortinet said in an advisory earlier this week.

The products impacted by the vulnerability are as follows :

  • FortiNAC version 9.4.0
  • FortiNAC version 9.2.0 through 9.2.5
  • FortiNAC version 9.1.0 through 9.1.7
  • FortiNAC 8.8 all versions
  • FortiNAC 8.7 all versions
  • FortiNAC 8.6 all versions
  • FortiNAC 8.5 all versions, and
  • FortiNAC 8.3 all versions
  • Firmly emphasize the urgency to update FortiNAC versions 7.2.0, 9.1.8, and 9.1.8 with the released patches - Horizon3.Ai has provided notice that it will soon release a proof-of-concept (PoC) code for any existing vulnerability in its system! Act now before this serious security issue becomes your problem too; protect yourself by taking advantage of these updates right away! FortiWeb's proxy daemon is susceptible to a stack-based buffer overflow (CVE-2021-42756, CVSS score: 9.3) that could potentially allow an unauthenticated remote attacker to introduce arbitrary code execution via specially constructed HTTP requests. Fortunately, versions FortiWeb 6.0.8, 6.1.3, 6.2 7.,6 3 .17 and 7 0 .0 contain the necessary fixes for this vulnerability; all users are advised to update their installations promptly in order to prevent any malicious intrusions on their system security!

    Fortinet's product security team discovered and reported both of these flaws internally. Interestingly, CVE-2021-42756 appears to have been identified in 2021 but not openly revealed until now.


    Get the latest news, invites to events, and threat alerts

    We’re remote friendly, with office in Miami: Miami

    Get the latest news, invites to events, and threat alerts