Skip to main content

Fortinet has recently released its May 2023 Monthly PSIRT Advisory Report, which we’ve covered in this detailed report. This report describes newly released security vulnerabilities affecting Fortinet products. We’ve also added a separate table in the report that describes all the products affected by these vulnerabilities.

Through this report, you will understand the severity of each vulnerability, the steps needed to mitigate the risks, and take the necessary actions to enhance the security structure against potential threats. 

Summary of May 2023 Monthly PSIRT Advisory Report

The Fortinet report released has the following key points: 

  1. The report listed 9 vulnerabilities, out of which none are critical, 2 are classified as High, 2 as Low, and 5 are classified as Medium. 
  2. The products affected by these 9 vulnerabilities include FortiADC, FortiOS, FortiProxy, and FortiNAC. 
  3. The fix for these vulnerabilities includes upgrading to the latest product version from the existing one. 

Vulnerabilities by Category

The May 2023 Monthly PSIRT Advisory Report presents 9 vulnerabilities affecting FortiADC, FortiOS, FortiProxy, and FortiNAC. Below is a table giving the overview of each vulnerability type identified in the report: 

Vulnerability Type Number of Occurrences 
Command injection  1
Path traversal  1
SSH Weak Key Exchange  1
Stored XSS triggering RCE  1
Weak authentication mechanism  1
Weak password hashing  1
Database hardcoded credentials 1
Ppen redirect in default Url vulnerability  1
Out-of-bound-write vulnerability  1

Vulnerabilities by Product

Following is the table with all the products affected by the vulnerabilities 

Fortinet Product Number of Occurrence
FortiADC  2
FortiOS  1
FortiProxy 1
FortiNAC  1

Comprehensive List of Vulnerabilities Patched in May 2023 Monthly PSIRT Advisory Report

CVE Title  CVSSv3 Score Severity Products Affected Product Fixed
CVE-2023-27999 FortiADC – Command injection in external resource module 7.6 High  FortiADC version 7.2.0FortiADC version 7.1.0 through 7.1.1 Upgrade to FortiADC version 7.2.1 or aboveUpgrade to FortiADC version 7.1.2 or above
CVE-2023-27993 FortiADC – Path traversal vulnerability in CLI 5.7 Medium FortiADC version 7.2.0FortiADC version 7.1.0 through 7.1.1FortiADC 7.0 all versionsFortiADC 6.2 all versionsFortiADC 6.1 all versionsFortiADC 6.0 all versionsFortiADC 5.4 all versionsFortiADC 5.3 all versionsFortiADC 5.2 all versions Upgrade to FortiADC version 7.2.1 or aboveUpgrade to FortiADC version 7.1.2 or above
CVE-2023-22637 FortiNAC – Stored XSS triggering RCE via license key forgery 5.9 Medium FortiNAC-F version 7.2.0FortiNAC version 9.4.0 through 9.4.2FortiNAC 9.2 all versionsFortiNAC 9.1 all versionsFortiNAC 8.8 all versionsFortiNAC 8.7 all versions Upgrade to FortiNAC-F version 7.2.1 or aboveUpgrade to FortiNAC version 9.4.3 or above
CVE-2022-45858 FortiNAC – SSH Weak Key Exchange Algorithm 3.8 Low  At leastFortiNAC-F version 7.2.0FortiNAC version 9.4.0 through 9.4.1FortiNAC version 9.2.0 through 9.2.6FortiNAC version 9.1.0 through 9.1.8FortiNAC version 8.8.0 through 8.8.11FortiNAC version 8.7.0 through 8.7.6 Upgrade to FortiNAC-F version 7.2.1 or aboveUpgrade to FortiNAC version 9.4.2 or aboveUpgrade to FortiNAC version 9.2.7 or above
CVE-2022-45860 FortiNAC – Weak authentication mechanism on device registration page 5 Medium  At leastFortiNAC-F version 7.2.0FortiNAC version 9.4.0 through 9.4.2FortiNAC 9.2 all versionsFortiNAC 9.1 all versionsFortiNAC 8.8 all versionsFortiNAC 8.7 all versions Upgrade to FortiNAC version 9.4.3 or aboveUpgrade to FortiNAC-F version 7.2.1 or above
CVE-2022-45859 FortiNAC – Weak password hashing method in etc/shadow 3.9 Low  At leastFortiNAC-F version 7.2.0FortiNAC version 9.4.0 through 9.4.1FortiNAC version 9.2.0 through 9.2.6FortiNAC 9.1 all versionsFortiNAC 8.8 all versionsFortiNAC 8.7 all versions Upgrade to FortiNAC-F version 7.2.1 or aboveUpgrade to FortiNAC version 9.4.2 or aboveUpgrade to FortiNAC version 9.2.7 or aboveAfter the upgrade, the CLI account password should be changed.
CVE-2023-26203 FortiNAC – database hardcoded credentials 6.1  Medium  FortiNAC version 9.4.0 through 9.4.2FortiNAC-F version 7.2.0FortiNAC 9.2 all versionsFortiNAC 9.1 all versionsFortiNAC 8.8 all versionsFortiNAC 8.7 all versions Upgrade to FortiNAC version 9.4.3 or aboveUpgrade to FortiNAC-F version 7.2.1 or above
CVE-2022-43950 FortiNAC – open redirect in defaultUrl parameter 3.9 Low  At leastFortiNAC-F version 7.2.0FortiNAC version 9.4.0 through 9.4.1FortiNAC 9.2 all versionsFortiNAC 9.1 all versionsFortiNAC 8.8 all versionsFortiNAC 8.7 all versions Upgrade to FortiNAC version 9.4.2 or aboveUpgrade to FortiNAC-F version 7.2.1 or above
CVE-2023-22640 FortiOS & FortiProxy – Out-of-bound-write in sslvpnd 7.1 High FortiOS version 7.2.0 through 7.2.3FortiOS version 7.0.0 through 7.0.10FortiOS version 6.4.0 through 6.4.11FortiOS version 6.2.0 through 6.2.13FortiOS 6.0 all versionsFortiProxy version 7.2.0 through 7.2.1FortiProxy version 7.0.0 through 7.0.7FortiProxy all versions 2.0, 1.2, 1.1, 1.0 Upgrade to FortiOS version 7.4.0 or aboveUpgrade to FortiOS version 7.2.4 or aboveUpgrade to FortiOS version 7.0.11 or aboveUpgrade to FortiOS version 6.4.12 or aboveUpgrade to FortiOS version 6.2.14 or aboveUpgrade to FortiProxy version 7.2.2 or aboveUpgrade to FortiProxy version 7.0.8 or above
  •  

Leave a Reply