Fortinet Remote Code Execution Vulnerabilities (CVE-2022-39952 & CVE-2021-42756)

2 critical Remote Code Execution vulnerabilities (CVE-2022-39952 and CVE-2021-42756) were identified in Fortinet products recently.  An unauthenticated attacker could exploit these vulnerabilities to perform arbitrary code execution.

Fortinet has released the patches to remediate these vulnerabilities and strongly recommends customers to apply the update IMMEDIATELY.

Vulnerabilities

• CVE-2022-39952
• CVE-2021-42756

Severity Level

• Critical

Affected Products

• FortiNAC version 9.4.0,
  FortiNAC version 9.2.0 through 9.2.5,
  FortiNAC version 9.1.0 through 9.1.7,
  FortiNAC 8.8 all versions,
  FortiNAC 8.7 all versions,
  FortiNAC 8.6 all versions,
  FortiNAC 8.5 all versions,
  FortiNAC 8.3 all versions.
• FortiWeb versions 5.x all versions,
  FortiWeb versions 6.0.7 and below,
  FortiWeb versions 6.1.2 and below,
  FortiWeb versions 6.2.6 and below,
  FortiWeb versions 6.3.16 and below,
  FortiWeb versions 6.4 all versions.

Remediation

• Please apply the update patches in your department devices immediately.
  • for CVE-2022-39952
  • for CVE-2021-42756

Reference

• https://www.fortiguard.com/psirt/FG-IR-22-300
• https://www.fortiguard.com/psirt/FG-IR-21-186

Enquiry

• For enquiries, please contact infosec@cuhk.edu.hk. Thanks a lot.

Published on: 10 Mar 2023