CVE-2022-39947

Name of the Vulnerable Software and Affected Versions FortiADC versions 5.4.0 through 5.4.5 FortiADC versions 6.0.0 through 6.0.4 FortiADC versions 6.1.0 through 6.1.6 FortiADC versions 6.2.0 through 6.2.3 FortiADC versions 7.0.0 through 7.0.2

Description The issue is related to an improper neutralization of special elements used in an os command, also known as 'os command injection', which may allow an attacker to execute unauthorized code or commands via specifically crafted HTTP requests. This can be done by sending specially formed HTTP requests to the web interface of the FortiADC controller.

Recommendations For FortiADC versions 5.4.0 through 5.4.5, update to a version that contains a fix for this issue. For FortiADC versions 6.0.0 through 6.0.4, update to a version that contains a fix for this issue. For FortiADC versions 6.1.0 through 6.1.6, update to a version that contains a fix for this issue. For FortiADC versions 6.2.0 through 6.2.3, update to a version that contains a fix for this issue. For FortiADC versions 7.0.0 through 7.0.2, update to a version that contains a fix for this issue. As a temporary workaround, consider restricting access to the web interface of the FortiADC controller to minimize the risk of exploitation.