Home > Security Bulletins > Fortinet FortiADC Authenticated RCE and More Fortinet Vulnerabilities

Fortinet FortiADC Authenticated RCE and More Fortinet Vulnerabilities

2 High and 3 Medium vulnerabilities were announced this week by Fortinet

6th January 2023

FortiADC Authenticated RCE Vulnerability

Fortinet has released a security bulletin for an authenticated remote code execution vulnerability in FortiADC.

CVE-2022-39947 (CVSS v3: 8.6 – High) is caused by improper neutralization of special elements and allows authenticated remote attackers with access to the web GUI to execute arbitrary code via specifically crafted HTTP requests.

Affected Products

FortiADC version 7.0.0 through 7.0.1
FortiADC version 6.2.0 through 6.2.3
FortiADC version 5.4.0 through 5.4.5
FortiADC all versions 6.1
FortiADC all versions 6.0

Security Patches

FortiADC 7.x should be upgraded to 7.0.2 or above
FortiADC 6.x should be upgraded to 6.2.4 or above
FortiADC 5.x will have an upgrade for 5.4.6 soon

More Vulnerabilities

CVE-2022-35845 (CVSS v3: 7.6 – High) – FortiTester – Multiple command injection vulnerabilities in GUI and API

CVE-2022-41336 (CVSS v3: 6.6 – Medium) – FortiPortal – XSS observed on policy column settings

CVE-2022-45857 (CVSS v3: 6.0 – Medium) – FortiManager – Incorrect user management behavior leads to passwordless admin

FG-IR-22-250 (CVSS v3: 5.3 – Medium) – FortiWeb – header injection in FortiWeb API