Fortinet Releases Patches for High-Severity Vulnerabilities in FortiADC, FortiOS and FortiProxy

May 5, 2023

Fortinet has recently announced its monthly set of security updates, addressing nine vulnerabilities across multiple products. Among these, two high-severity vulnerabilities impacting FortiADC, FortiOS, and FortiProxy have been identified. The most severe issue is tracked as CVE-2023-27999 and affects the FortiADC application delivery controller. Described as an "improper neutralization of special elements used in an OS command vulnerability," an attacker could exploit this vulnerability by using crafted arguments to existing commands, allowing them to execute unauthorized commands. To exploit the vulnerability, the attacker needs to be authenticated. The issue impacts FortiADC versions 7.2.0, 7.1.1, and 7.1.0 and has been addressed with the release of FortiADC versions 7.2.1 and 7.1.2.

The second high-severity flaw, CVE-2023-22640, is an out-of-bounds write in the sslvpnd component of FortiOS and FortiProxy. This bug allows an authenticated attacker to send specifically crafted requests to achieve arbitrary code execution. The vulnerability was discovered in FortiOS versions 7.2.x, 7.0.x, 6.4.x 6.2.x, and 6.0.x, and FortiProxy versions 7.2.x, 7.0.x, 2.0.x, and 1.x.x. Fortinet has addressed the issue with the release of FortiOS versions 7.4.0, 7.2.4, 7.0.11, 6.4.12, and 6.2.14, and in FortiProxy versions 7.2.2 and 7.0.8.

In addition to these high-severity vulnerabilities, Fortinet also released patches for medium-severity flaws in FortiNAC and FortiADC. These include hard-coded credentials, improper neutralization of input, path traversal, and weak authentication issues. Multiple low-severity bugs in FortiNAC have also been addressed. More information on the resolved vulnerabilities can be found on Fortinet's PSIRT advisories page.

Fortinet has not reported any instances of these vulnerabilities being exploited in malicious attacks. However, it is known that flaws in unpatched Fortinet products are often exploited. As a result, customers are advised to apply the available security updates as soon as possible. Related articles include reports on Fortinet patching a critical vulnerability in their data analytics solution, the exploitation of a recent Fortinet zero-day linked to Chinese cyberspies, and the discovery of a zero-day exploit in government attacks after devices detected an integrity breach.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.