Fortinet on Tuesday informed customers about more than a dozen vulnerabilities found and patched in its products.
The company has published 17 new advisories describing 18 vulnerabilities affecting FortiOS, FortiProxy, FortiPAM, FortiSRA, FortiAnalyzer, FortiManager, FortiAnalyzer-BigData, FortiSandbox, FortiNDR, FortiWeb, FortiSIEM and FortiADC.
High-severity vulnerabilities include CVE-2023-48790, an XSS flaw in FortiNDR that can be exploited by unauthenticated hackers for arbitrary code or command execution.
In FortiOS, FortiProxy, FortiPAM, FortiSRA and FortiWeb, the company patched CVE-2024-45325, which allows a privileged attacker to execute code or commands via specially crafted requests. Technical information describing this flaw appears to be publicly available.
Another high-severity issue is CVE-2023-40723, which impacts FortiSIEM and allows an unauthenticated attacker to remotely read the database password using specially crafted API requests.
In FortiSandbox, Fortinet fixed CVE-2024-45328 (privilege escalation), CVE-2024-52961 (command injection), and CVE-2024-54027 (sensitive data read) — all rated ‘high severity’.
In FortiIsolator it resolved CVE-2024-55590, which allows an attacker with read-only admin access to execute code, and in FortiADC the company fixed CVE-2023-37933, which allows authenticated XSS attacks.
The medium-severity vulnerabilities patched by Fortinet in its products can be exploited for code execution, command execution, arbitrary file write, and bypassing web firewall protections.
A low-severity issue allowing unauthorized operations has also been patched.
Fortinet said many of these vulnerabilities were discovered internally and has not mentioned in-the-wild exploitation for any of them.
Related: Fortinet Confirms New Zero-Day Exploitation
Related: Ivanti, Fortinet Patch Remote Code Execution Vulnerabilities
Related: Data From 15,000 Fortinet Firewalls Leaked by Hackers