FortiADC Command Injection Vulnerability - 20230105001

Overview

An improper neutralization of special elements used in an OS Command vulnerability CWE-78 in FortiADC may allow an authenticated attacker with access to the web GUI to execute unauthorized code or commands via specifically crafted HTTP requests.

What is the vulnerability?

CVE-2022-39947 - CVSSv3 Score 8.6

What is vulnerable?

The vulnerability affects the following products:

• FortiADC version 7.0.0 through 7.0.2
• FortiADC version 6.2.0 through 6.2.3
• FortiADC version 6.1.0 through 6.1.6
• FortiADC version 6.0.0 through 6.0.4
• FortiADC version 5.4.0 through 5.4.5

Recommendation

The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected platforms: https://www.fortiguard.com/psirt/FG-IR-22-061

Additional References

• https://www.cisa.gov/uscert/ncas/current-activity/2023/01/04/fortinet-releases-security-updates-fortiadc