Other official information and services: www.belgium.be

WARNING: COMMAND INJECTION VULNERABILITY IN WEB INTERFACE FORTIADC

Referentie:

Advisory #2023-02

Versie:

1.0

Geïmpacteerde software:

FortiADC version 7.0.0 through 7.0.1

FortiADC version 6.2.0 through 6.2.3

FortiADC version 5.4.0 through 5.4.5

FortiADC all versions 6.1

FortiADC all versions 6.0

Type:

Command injection

CVE/CVSS:

CVE-2022-39947

Datum:

05/01/2023

Bronnen

https://www.fortiguard.com/psirt/FG-IR-22-061

Risico’s

By successfully exploiting vulnerability CVE-2022-39947, an authenticated attacker with access to the web GUI can execute unauthorized code or commands via specifically crafted HTTP requests.

FortiADC is an application delivery controller used widely in enterprises and cloud deployment. It is notable that adversaries have been exploiting vulnerabilities in multiple Fortinet products in the past few months.

Beschrijving

CVE-2022-39947 is an OS command injection vulnerability which contains improper neutralization of special elements used in an OS Command in FortiADC.

Aanbevolen acties

Fortinet recommends patching affected software :

Upgrade to FortiADC version 7.0.2 or above
Upgrade to FortiADC version 6.2.4 or above
Upgrade to FortiADC version 5.4.6 or above (upcoming at this time of writing)

Meer informatie

For more information, please read Fortinet’s dedicated security advisory: https://www.fortiguard.com/psirt/FG-IR-22-061