Fortinet released security updates for two critical vulnerabilities found in FortiNAC and FortiWeb products. The vulnerabilities could allow unauthenticated attackers to perform arbitrary code or command execution.  

CVE-2022-39952 impacts FortiNAC and has a critical CVSS score of 9.8. FortiNAC is an access control solution for networks that allows organizations to achieve network visibility in real-time, implement and enforce security protocols, and identify and resolve security threats. Fortinet’s advisory states that the vulnerability, known as an external control of file name or path vulnerability [CWE-73], could allow an unauthorized attacker to perform arbitrary write operations on the system without authentication.  

CVE-2022-39952 impacts the following products:  

  • FortiNAC version 9.4.0 
  • FortiNAC version 9.2.0 through 9.2.5 
  • FortiNAC version 9.1.0 through 9.1.7 
  • FortiNAC 8.8 all versions 
  • FortiNAC 8.7 all versions
  • FortiNAC 8.6 all versions 
  • FortiNAC 8.5 all versions 
  • FortiNAC 8.3 all versions 

CVE-2022-42756 has a critical CVSS score of 9.3 and impacts FortiWeb – a web application firewall (WAF) solution designed to safeguard web applications and APIs against online threats, such as cross-site scripting (XSS), SQL injection, bot attacks, DDoS (distributed denial of service), and other malicious activities. Fortinet’s advisory states that multiple stack-based overflow vulnerabilities [CWE-121] were found in FortiWeb’s proxy daemon. The vulnerabilities could allow an unauthenticated remote attacker to achieve arbitrary code execution via specifically crafted HTTP requests.  

CVE-2022-42756 impacts the following products:  

  • FortiWeb versions 5.x all versions 
  • FortiWeb versions 6.0.7 and below 
  • FortiWeb versions 6.1.2 and below 
  • FortiWeb versions 6.2.6 and below
  • FortiWeb versions 6.3.16 and below 
  • FortiWeb versions 6.4 all versions 

There are no workarounds or mitigations for CVE-2022-39952 or CVE-2022-42756. It is highly recommended that you apply the available security updates to address the vulnerabilities.  



avertium's recommendations

Avertium recommends applying the appropriate updates for CVE-2022-39952. You may find patch guidance in Fortinet’s advisory 
  • Solutions include updating to the following versions:  
    • FortiNAC version 9.4.1 or above 
    • FortiNAC version 9.2.6 or above 
    • FortiNAC version 9.1.8 or above
    • FortiNAC version 7.2.0 or above 
Avertium recommends applying the appropriate updates for CVE-2022-42756. You may find patch guidance in Fortinet’s advisory 
  • Solutions include updating to the following versions:  
    • FortiWeb 7.0.0 or above 
    • FortiWeb 6.3.17 or above
    • FortiWeb 6.2.7 or above 
    • FortiWeb 6.1.3 or above 
    • FortiWeb 6.0.8 or above 




At this time, there are no known IoCs associated with CVE-2022-39952 and CVE-2022-42756. Avertium’s threat hunters remain vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, please reach out to your Avertium Service Delivery Manager or Account Executive.   



How Avertium is Protecting Our CUSTOMERS

  • Expanding endpoints, cloud computing environments, and accelerated digital transformation have decimated the perimeter in an ever-expanding attack surface. Avertium offers Attack Surface Management, so you’ll have no more blind spots, weak links, or fire drills. 
  • Fusion MXDR is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts. 
  • Avertium offers VMaaS to provide a deeper understanding and control over organizational information security risks.  If your enterprise is facing challenges with the scope, resources, or skills required to implement a vulnerability management program with your team, outsourced solutions can help you bridge the gap. 




PSIRT Advisories | FortiGuard 

CVE - CVE-2022-39952 (mitre.org) 

PSIRT Advisories | FortiGuard 

Fortinet fixes critical RCE flaws in FortiNAC and FortiWeb (bleepingcomputer.co




Related Resource:  2023 Cybersecurity Landscape: 8 Lessons for Cybersecurity Professionals

Chat With One of Our Experts

Flash Notice Fortinet Vulnerability Fortinet High-Severity Vulnerability FortiWeb FortiNAC Blog