Cybersecurity solutions company Fortinet has released security updates for its FortiNAC and FortiWeb products, addressing two critical-severity vulnerabilities that can allow unauthenticated attackers to execute arbitrary code or commands.

The first flaw, impacting FortiNAC, is tracked as CVE-2022-39952 and has a CVSS v3 score of 9.8 (critical).

FortiNAC is a network access control solution that helps organizations gain real-time network visibility, enforce security policies, and detect and mitigate threats.

“An external vulnerability check of the file name or path [CWE-73] in the FortiNAC web server may allow an unauthenticated attacker to perform arbitrary writes to the system”, reads the security advisory.

The products impacted by this flaw are:

• FortiNAC version 9.4.0
• FortiNAC versions 9.2.0 to 9.2.5
• FortiNAC versions 9.1.0 to 9.1.7
• FortiNAC 8.8 all versions
• FortiNAC 8.7 all versions
• FortiNAC 8.6 all versions
• FortiNAC 8.5 all versions
• FortiNAC 8.3 all versions

The CVE-2022-39952 vulnerability is addressed in FortiNAC 9.4.1 and later, 9.2.6 and later, 9.1.8 and later, and 7.2.0 and later.

The second vulnerability impacting FortiWeb is CVE-2021-42756which has a CVSS v3 score of 9.3 (critical).

FortiWeb is a web application firewall (WAF) solution designed to protect web applications and APIs against cross-site scripting (XSS), SQL injection, bot attacks, DDoS (distributed denial of service) and other online threats.

“Several stack-based buffer overflow vulnerabilities [CWE-121] in FortiWeb’s proxy daemon may allow a remote, unauthenticated attacker to execute arbitrary code via specially crafted HTTP requests” describes the opinion of Fortinet.

CVE-2021-42756 affects the versions below:

• FortiWeb versions 5.x all versions
• FortiWeb versions 6.0.7 and below
• FortiWeb versions 6.1.2 and below
• FortiWeb versions 6.2.6 and below
• FortiWeb versions 6.3.16 and below
• FortiWeb versions 6.4 all versions

To fix the flaw, administrators should upgrade to FortiWeb 7.0.0 or later, 6.3.17 or later, 6.2.7 or later, 6.1.3 or later, and 6.0.8 or later.

Strangely, the CVE ID indicates that the vulnerability was discovered in 2021 but has not been publicly disclosed so far.

The vendor has not provided any mitigation advice or workarounds for either flaw, so applying available security updates is the only way to address the risks.