List of zero-day vulnerabilities in Fortinet firewalls, VPN & networking products

Cybersecurity specialists have revealed the discovery of multiple vulnerabilities in Fortinet FortiADC; the severity of these failures varies, as well as potential exploitation scenarios.

Below is a brief profile of each of the discovered faults, with their respective Common Vulnerability Scoring System (CVSS) key.

CVE-2020-9286: This is an existing vulnerability in the affected product that exists due to inadequate access restriction, exploiting it would allow a remote threat actor to scale privileges on the target system and perform various tasks, such as restarting the device abruptly.

CVE-2020-6647: This flaw would allow remote attackers to perform cross-site scripting (XSS) attacks and exist due to insufficient disinfection of user input within the FortiADC dashboard. A remote hacker could trick a user into following a specially designed link and executes arbitrary HTML and script code in the context of an insecure website.

Successful exploitation of this vulnerability can allow a remote attacker to steal potentially sensitive information, change the appearance of a targeted website, perform phishing attacks, and drive-by-download.

The report mentions that the company has already received the report and began working immediately to correct security flaws. In the most recent update on the finding, Fortinet announced that security patches have already been released to users, so users of affected deployments are advised to update as soon as possible.

So far the finding of some malware variant to exploit these vulnerabilities has not been reported, although users should not forget to update their systems.