CVE-2022-39947 is a new, high severity security vulnerability in FortiADC product – an advanced application and database delivery controller from Fortinet. The vulnerability is a command injection issue in the product’s web interface, and has been rated 8.6 out of 10 on the CVSS scale.
FortiADC enhances the scalability, performance, and security of applications hosted on either premises or in the cloud. The CVE-2022-39947 vulnerability may allow an authenticated attacker with access to the web GUI to execute unauthorized code or commands via specifically crafted HTTP requests.
What Products Does CVE-2022-39947 Affect?
Here is the list of the affected products and their versions, as per the official Fortinet’s advisory:
- FortiADC version 7.0.0 through 7.0.1
- FortiADC version 6.2.0 through 6.2.3
- FortiADC version 5.4.0 through 5.4.5
- FortiADC all versions 6.1
- FortiADC all versions 6.0
The vulnerability was discovered internally and reported by Gwendal Guégniaud of Fortinet Product Security Team.
It is noteworthy that command injection vulnerabilities occur when an attacker is able to execute system commands on a vulnerable application. This type of attack can allow an attacker to take control of the application, access sensitive data, or even manipulate the system. These vulnerabilities can be exploited via input fields, web forms, or URLs.
Affected parties should apply the available patches as soon as possible.
Enterprises of all sizes are at risk of various security vulnerabilities. With so much confidential information and data, it’s essential for organizations to take proactive measures to protect their businesses from potential security threats.