Fortinet patches product flaws, notifies on new vulnerability

Cybersecurity vendor Fortinet informed users of a new high-severity vulnerability in its FortiADC web interface that could allow threat actors to perform arbitrary code execution, SecurityWeek reports. The company said the bug is being tracked as CVE-2022-39947 and was given a CVSS score of 8.6, and identified FortiADC versions 5.4.x, 6.0.x, 6.1.x, 6.2.x, and 7.0.x as susceptible. "An improper neutralization of special elements used in an OS command vulnerability in FortiADC may allow an authenticated attacker with access to the web GUI to execute unauthorized code or commands via specifically crafted HTTP requests," according to the company, which said it would patch the flaw when it launches FortiADC 6.2.4 and 7.0.2. Meanwhile, Fortinet also announced that it has rolled out FortiTester versions 3.9.2, 4.2.1, 7.1.1, and 7.2.0, which address a collection of high-severity command injection vulnerabilities, tracked as CVE-2022-35845, that affect its FortiTester offering. Fortinet described the bugs as an improper neutralization of special elements that may result in arbitrary command execution in the underlying shell.