Cybersecurity solutions company Fortinet has released security updates for its FortiNAC and FortiWeb products, addressing two critical-severity vulnerabilities that may allow unauthenticated attackers to perform arbitrary code or command execution.
FortiNAC is a network access control solution that helps organizations gain real-time network visibility, enforce security policies, and detect and mitigate threats.
“An external control of file name or path vulnerability [CWE-73] in FortiNAC webserver may allow an unauthenticated attacker to perform arbitrary write on the system,” reads the security advisory.
The CVE-2022-39952 vulnerability is fixed in FortiNAC 9.4.1 and later, 9.2.6 and later, 9.1.8 and later, and 7.2.0 and later.
The second vulnerability impacts FortiWeb is CVE-2021-42756, which has a CVSS v3 score of 9.3.
To address the flaw, admins should upgrade to FortiWeb 7.0.0 or later, 6.3.17 or later, 6.2.7 or later, 6.1.3 or later, and 6.0.8 or later.