Vulnerabilities discovered in Fortinet products (AL02/241219/CSIRT-ITA)

Summary

New vulnerabilities discovered in some Fortinet products, including one with a severity of “critical” and one with a severity of “high”.

Risk

Vulnerability Community Impact Estimation: High (66.41)

Type

• Arbitrary Code Execution
• Arbitrary File Read
• Information Disclosure

Affected Products and Versions

FortiWLM

• 8.5, versions 8.5.0 to 8.5.4
• 8.6, versions 8.6.0 to 8.6.5

FortiManager

• 6.4, versions 6.4.10 to 6.4.14
• 7.0, versions 7.0.5 to 7.0.12
• Cloud 7.0, versions 7.0.1 to 7.0.12
• 7.2, versions 7.2.3 to 7.2.7
• Cloud 7.2, versions 7.2.1 to 7.2.7
• 7.4, versions 7.4.0 to 7.4.4
• Cloud 7.4, versions 7.4.1 to 7.4.4
• 7.6, version 7.6.0

FortiClientWindows

• 7.0, versions 7.0.0 to 7.0.13
• 7.2, versions 7.2.0 to 7.2.6
• 7.4, versions 7.4.0 to 7.4.1

FortiClientLinux

• 7.0, versions 7.0.0 to 7.0.13
• 7.2, versions 7.2.0 to 7.2.7
• 7.4, versions 7.4.0 to 7.4.2

Mitigations

In line with vendor statements, it is recommended to apply mitigations following the guidance in the security bulletins available in the References section.

The following are only the CVEs for vulnerabilities with severity “critical” and “high”:

References

https://fortiguard.fortinet.com/psirt/FG-IR-23-144

https://fortiguard.fortinet.com/psirt/FG-IR-24-425

https://fortiguard.fortinet.com/psirt/FG-IR-23-278

¹This estimate is made taking into account several parameters, including: CVSS, availability of patches/workarounds and PoC, diffusion of the affected software/devices in the reference community.