Security News > 2023 > February > Fortinet plugs critical security hole in FortiNAC, with a PoC incoming (CVE-2022-39952)
Fortinet has dropped fixes for 40 vulnerabilities in a variety of its products, including two critical vulnerabilities affecting its FortiNAC and FortiWeb solutions.
Since cyberattackers love to exploit vulnerabilities in Fortinet enterprise solutions and a PoC exploit for CVE-2022-39952 is expected to be released soon, admins are advised to get a move on patching.
It has been fixed in FortiNAC version 9.4.1 or above, 9.2.6 or above, 9.1.8 or above, and 7.2.0 or above.
It has been fixed in FortiWeb version 7.0.0 or above, 6.3.17 or above, 6.2.7 or above, 6.1.3 or above, and 6.0.8 or above.
Both vulnerabilities have been unarthed by members of the Fortinet Product Security team, but the company did not mention why it took so long to push fixes for the latter.
Most of the remaining fixed vulnerabilities have also been found by Fortinet employees, which points to a concerted internal push to pinpoint and fix security weaknesses in the company's products.
News URL
https://www.helpnetsecurity.com/2023/02/20/cve-2022-39952/
Related news
- Double trouble for Fortinet as it issues critical FortiSIEM vulns (source)
- Fortinet snafu: Critical FortiSIEM CVEs are duplicates, issued in error (source)
- Critical Patches Released for New Flaws in Cisco, Fortinet, VMware Products (source)
- Fortinet Warns of Critical FortiOS SSL VPN Flaw Likely Under Active Exploitation (source)
- Fortinet's week to forget: Critical vulns, disclosure screw-ups, and that toothbrush DDoS attack claim (source)
- Critical Fortinet FortiOS flaw exploited in the wild (CVE-2024-21762) (source)
- Three critical application security flaws scanners can’t detect (source)
- Critical Fortinet flaw may impact 150,000 exposed devices (source)
- Fortinet warns of critical RCE bug in endpoint management software (source)
- PoC for critical Arcserve UDP vulnerabilities published (CVE-2024-0799, CVE-2024-0800) (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-02-16 | CVE-2022-39952 | Exposure of Resource to Wrong Sphere vulnerability in Fortinet Fortinac A external control of file name or path in Fortinet FortiNAC versions 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, 8.8.0 through 8.8.11, 8.7.0 through 8.7.6, 8.6.0 through 8.6.5, 8.5.0 through 8.5.4, 8.3.7 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP request. | 9.8 |