Government of the Republic of Trinidad and Tobago

TT-CSIRT-407.07.10.22: FortiOS Critical Security Vulnerability

TT-CSIRT-407.07.10.22: FortiOS Critical Security Vulnerability

Updated 10/10/2022 – Fortinet has issued an official PSIRT advisory that includes workaround steps for those who cannot immediately update their assets:

Note that updating your device continues to be the preferred recommended action by TT-CSIRT.

Original Advisory:

Fortinet has released security updates to address a critical vulnerability in its FortiOS (and subsequently FortiGate) and FortiProxy products. This is a critical authentication bypass vulnerability that received a CVSSv3 score of 9.6. By sending specially crafted HTTP or HTTPS requests to a vulnerable target, a remote attacker with access to the management interface could perform administrator operations.

While Fortinet has not yet issued an official PSIRT advisory, TT-CSIRT strongly encourages administrators to review the following release from Tenable and apply the necessary updates immediately: