TT-CSIRT-407.07.10.22: FortiOS Critical Security Vulnerability
Updated 10/10/2022 – Fortinet has issued an official PSIRT advisory that includes workaround steps for those who cannot immediately update their assets: https://www.fortiguard.com/psirt/FG-IR-22-377
Note that updating your device continues to be the preferred recommended action by TT-CSIRT.
Original Advisory:
Fortinet has released security updates to address a critical vulnerability in its FortiOS (and subsequently FortiGate) and FortiProxy products. This is a critical authentication bypass vulnerability that received a CVSSv3 score of 9.6. By sending specially crafted HTTP or HTTPS requests to a vulnerable target, a remote attacker with access to the management interface could perform administrator operations.
While Fortinet has not yet issued an official PSIRT advisory, TT-CSIRT strongly encourages administrators to review the following release from Tenable and apply the necessary updates immediately: