"Fortinet Fixes Serious Flaw in FortiADC"
Fortinet has issued patches for a critical flaw in multiple versions of its popular FortiADC application delivery controller, which might allow an attacker to execute arbitrary code. The vulnerability, tracked as CVE-2022-39947, is an OS command injection flaw in the software's handling of certain commands. According to the Fortinet security advisory, improper neutralization of special elements used in the OS Command vulnerability in FortiADC could allow an authenticated attacker with access to the web Graphical User Interface (GUI) to execute unauthorized code or commands through specially crafted HTTP requests. Enterprises and cloud deployments use the FortiADC application delivery controller to provide security functionality, application acceleration, and load balancing. In recent years, Fortinet products have been attractive targets for attackers, and numerous adversary groups have exploited flaws in Fortinet hardware. For example, in November, the Hive ransomware group began exploiting an authentication-bypass vulnerability in the FortiOS Secure Sockets Layer Virtual Private Network (SSL VPN) for initial access prior to launching ransomware. This article continues to discuss the serious security flaw found in several versions of Fortinet's FortiADC application.