Fortinet on Monday issued emergency patches for a extreme safety flaw affecting its FortiOS SSL-VPN product that it mentioned is being actively exploited within the wild.
Tracked as CVE-2022-42475 (CVSS rating: 9.3), the crucial bug pertains to a heap-based buffer overflow vulnerability that would enable an unauthenticated attacker to execute arbitrary code through specifically crafted requests.
The corporate said it is “conscious of an occasion the place this vulnerability was exploited within the wild,” urging clients to maneuver shortly to use the updates.
The next merchandise are impacted by the difficulty –
- FortiOS model 7.2.0 by means of 7.2.2
- FortiOS model 7.0.0 by means of 7.0.8
- FortiOS model 6.4.0 by means of 6.4.10
- FortiOS model 6.2.0 by means of 6.2.11
- FortiOS-6K7K model 7.0.0 by means of 7.0.7
- FortiOS-6K7K model 6.4.0 by means of 6.4.9
- FortiOS-6K7K model 6.2.0 by means of 6.2.11
- FortiOS-6K7K model 6.0.0 by means of 6.0.14
Patches can be found in FortiOS variations 7.2.3, 7.0.9, 6.4.11, and 6.2.12 in addition to FortiOS-6K7K variations 7.0.8, 6.4.10, 6.2.12, and 6.0.15.
The American community safety firm has additionally printed indicators of compromise (IoCs) related to the exploitation makes an attempt, together with the IP addresses and the artifacts which can be current within the file system submit a profitable assault.
The advisory comes two months after Fortinet warned of energetic weaponization of one other crucial authentication bypass bug in FortiOS, FortiProxy, and FortiSwitchManager (CVE-2022-40684, CVSS rating: 9.6).