Fortinet Releases Security Updates for FortiNAC and FortiWeb

February 17, 2023

Fortinet has released security updates for its FortiNAC and FortiWeb products, addressing two critical-severity vulnerabilities. CVE-2022-39952, impacting FortiNAC, has a CVSS v3 score of 9.8 (critical). FortiNAC is a network access control solution that helps organizations gain real-time network visibility, enforce security policies, and detect and mitigate threats. According to Fortinet's security advisory, "An external control of file name or path vulnerability [CWE-73] in FortiNAC webserver may allow an unauthenticated attacker to perform arbitrary write on the system." The products impacted by this flaw are: FortiNAC 9.4.1 and later, 9.2.6 and later, 9.1.8 and later, and 7.2.0 and later.

The second vulnerability, CVE-2021-42756, impacting FortiWeb, has a CVSS v3 score of 9.3 (critical). FortiWeb is a web application firewall (WAF) solution designed to protect web apps and API from cross-site scripting (XSS), SQL injection, bot attacks, DDoS (distributed denial of service), and other online threats. According to Fortinet, "Multiple stack-based buffer overflow vulnerabilities [CWE-121] in FortiWeb's proxy daemon may allow an unauthenticated remote attacker to achieve arbitrary code execution via specifically crafted HTTP requests." The products impacted by this flaw are: FortiWeb 7.0.0 or later, 6.3.17 or later, 6.2.7 or later, 6.1.3 or later, and 6.0.8 or later. To address the risks, admins should apply the available security updates. As Fortinet's security advisory states, "There are no workarounds or mitigations available."

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.