Fortinet Patches Over a Dozen Security Vulnerabilities Across Its Products
On Tuesday, Fortinet alerted customers about multiple security flaws in its products, releasing fixes for more than a dozen vulnerabilities.
The company issued 17 new security advisories detailing 18 vulnerabilities affecting various products, including FortiOS, FortiProxy, FortiPAM, FortiSRA, FortiAnalyzer, FortiManager, FortiAnalyzer-BigData, FortiSandbox, FortiNDR, FortiWeb, FortiSIEM, and FortiADC.
Among the high-severity vulnerabilities is CVE-2023-48790, an XSS flaw in FortiNDR that could enable unauthenticated attackers to execute arbitrary code or commands.
Another critical issue, CVE-2024-45325, impacts FortiOS, FortiProxy, FortiPAM, FortiSRA, and FortiWeb. It allows a privileged attacker to execute commands via specially crafted requests. Technical details about this vulnerability appear to be publicly available.
Additionally, CVE-2023-40723 affects FortiSIEM and could allow an unauthenticated attacker to remotely access the database password through crafted API requests.
Fortinet also addressed several other high-severity vulnerabilities, including:
- CVE-2024-45328 (privilege escalation)
- CVE-2024-52961 (command injection)
- CVE-2024-54027 (sensitive data read) in FortiSandbox
- CVE-2024-55590 in FortiIsolator, which could let an attacker with read-only admin access execute code
- CVE-2023-37933 in FortiADC, which enables authenticated XSS attacks
Additionally, the company patched medium-severity vulnerabilities that could allow code execution, command execution, arbitrary file writing, and bypassing web firewall protections. A low-severity flaw enabling unauthorized operations was also addressed.
Fortinet stated that many of these vulnerabilities were identified internally and confirmed that none have been exploited in the wild.
