Fortinet has released fixes for a serious vulnerability in several versions of its popular FortiADC application delivery controller that could allow an attacker to run arbitrary code.
The vulnerability (CVE-2022-39947) is an OS command injection bug that lies in the way that the software handles some specific commands. It affects versions 7.0.0 through 7.0.2, 6.2.0 through 6.2.3, 6.1.0 through 6.1.6, 6.0.0 through 6.0.4, and 5.4.0 through 5.4.5 of the FortiADC
“An improper neutralization of special elements used in an OS Command vulnerability [CWE-78] in FortiADC may allow an authenticated attacker with access to the web GUI to execute unauthorized code or commands via specifically crafted HTTP requests,” the Fortinet security advisory says.
The FortiADC application delivery controller is used widely in enterprises and in cloud deployments to provide security functionality, application acceleration, and load balancing. Fortinet products have been attractive targets for attackers in recent years, and many different groups of adversaries have exploited vulnerabilities in Fortinet gear. In November, the Hive ransomware actors began exploiting an authentication-bypass vulnerability in the FortiOS SSL VPN for initial access before deploying the ransomware.
And in December, unknown attackers exploited a zero day in the Fortigate firewall appliances.
“A heap-based buffer overflow vulnerability in FortiOS SSL-VPN may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests,” the Fortinet advisory says.
“Fortinet is aware of an instance where this vulnerability was exploited in the wild.”
Fortinet has published updated versions of the affected software, versions 7.0.2 and 6.2.4, that address the FortiADC vulnerability and is encouraging organizations to install the new versions as soon as possible.