Fortinet reports FortiClient critical flaw and issues in FortiOS and FortiProxy
Take action: If you are using FortiClient, FortiOS or FortiProxy, plan for a patching cycle. First priority is the FortiClient for Linux. The rest are wise to update, but may be part of a regular update cycle - no panic there.
Learn More
Fortinet is reporting vulnerabilities across its FortiOS, FortiProxy, and FortiClient products, including FortiClient for Linux and Mac. For all the flaws Fortinet has released patches or advisories to migrate to a supported versions.
- The critical vulnerability was identified in FortiClient for Linux, tracked as CVE-2023-45590 (CVSS score 9.4). This flaw enables remote code execution and via code injection vulnerability. Attackers can exploit it by deceiving a user into visiting a malicious website, potentially exposing execution of arbitrary code on the affected system. The vulnerability impacts FortiClientLinux version 7.2.0 and FortiClientLinux 7.0.3 through 7.0.4 and 7.0.6 through 7.0.10
- A high severity flaw in FortiOS, FortiProxy tracked as CVE-2023-41677 (CVSS score 7.5), involves inadequate protection of credentials in numerous versions of FortiOS and FortiProxy. This vulnerability could permit attackers to acquire the administrator's cookie under certain rare and specific conditions, such as convincing the administrator to visit a malicious, attacker-controlled website via SSL-VPN.
- High severity vulnerabilities in FortiClient for Mac tracked as CVE-2023-45588 and CVE-2024-31492 (CVSS score 7.8), enable a local attacker to execute arbitrary code or commands via writing a malicious configuration file before starting the installation process.
Fortinet did not indicate whether any of these vulnerabilities had been exploited in the wild.
