Voyager18 (research)

How to fix CVE-2022-39952 and CVE-2021-42756 in Fortinet products

Two critical vulnerabilities have been found in Fortinet products. Here's what you need to know about CVE-2022-39952 and CVE-2021-42756

Bar Lanyado | February 20, 2023

FortiWeb, FortiOS, FortiNAC, and FortiProxy are among the software programs that Fortinet has updated with security patches to address 40 vulnerabilities, with two of them ranked as critical.

Here’s everything you need to know about CVE-2022-39952 and CVE-2021-42756.

What are CVE-2022-39952 and CVE-2021-42756?

CVE-2022-39952 refers to a vulnerability in FortiNAC, which is Fortinet’s network access control solution. Specifically, this CVE identifies an external control issue related to the file name or path in the webserver of FortiNAC. An unauthenticated attacker can use it to execute arbitrary writes on a vulnerable system. With a CVSS score of 9.8, this vulnerability is a serious security concern. 

CVE-2021-42756 is a severe vulnerability in FortiWeb’s proxy daemon that has been assigned a “very critical” severity rating. This vulnerability is associated with multiple stack-based buffer overflow vulnerabilities and can allow attackers to remotely execute arbitrary code on the affected system using malicious HTTP requests. Although the vulnerability was discovered over a year ago, Fortinet has only recently provided patches for it, and it is unclear why there was a delay in doing so. Horizon3, an autonomous pen-testing company, has announced that it will soon publish a blog post on exploiting CVE-2021-42756 for remote code execution with root privileges. Given that there are many Fortinet systems exposed to the internet, it is believed that a significant number of them are vulnerable to attacks exploiting this vulnerability.

Do they affect me?

The following products are affected by CVE-2022-39952:

FortiNAC version 9.4.0

FortiNAC version 9.2.0 through 9.2.5

FortiNAC version 9.1.0 through 9.1.7

FortiNAC 8.8 all versions

FortiNAC 8.7 all versions

FortiNAC 8.6 all versions

FortiNAC 8.5 all versions

FortiNAC 8.3 all versions


Versions of FortiWeb below are affected by CVE-2021-42756:

FortiWeb versions 6.4 all versions

FortiWeb versions 6.3.16 and below

FortiWeb versions 6.2.6 and below

FortiWeb versions 6.1.2 and below

FortiWeb versions 6.0.7 and below, and

FortiWeb versions 5.x all versions

Have CVE-2022-39952 and CVE-2021-42756 been actively exploited in the wild?

In the case of CVE-2022-39952, penetration testing company stated that it plans to release a proof-of-concept (PoC) code for the vulnerability “soon,” necessitating a rush on the part of users to apply the updates.

There is currently no proof of concept (PoC) available for CVE-2021-42756.

How to fix CVE-2022-39952 and CVE-2021-42756

CVE-2022-39952: FortiNAC versions 7.2.0, 9.1.8, 9.1.8, and 9.1.8 have patches available.

CVE-2021-42756: fixes are available in versions 6.0.8, 6.1.3, 6.2.7, 6.3.17, and 7.0.0

Next steps

Each new vulnerability is a reminder of where we stand, and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors:

  1. Cyber risk in 2022- a 360° view report 
  2. MITRE ATTACK framework – Mapping techniques to CVEs 
  3. Exploit maturity: an introduction 
  4. How to properly tackle zero-day threats 
  5. VulnRX – the CVE fix directory

And finally…

Don’t get found out by new vulnerabilities. Vulcan Cyber gives you full visibility and oversight of your threat environment and lets you prioritize, remediate, and communicate your cyber risk across your entire organization. Get a demo today.

CVE examples




Free for risk owners

Set up in minutes to aggregate and prioritize cyber risk across all your assets and attack vectors.

"Idea for an overwhelmed secops/security team".

Name Namerson
Head of Cyber Security Strategy