Fortinet has patched two critical bugs in its FortiNAC and FortiWeb products that if exploited could allow an unauthenticated attacker to execute unauthorized code or commands via a specifically crafted HTTP request.
The FortiNAC bug tracked as CVE-2022-39952 was rated at 9.8 and affected versions 9.4.0; 9.2.0 through 9.2.5; 9.1.0 through 9.1.7; 8.8.0 through 8.8.11; 8.7.0 through 8.7.6; 8.6.0 through 8.6.5; 8.5.0 through 8.5.4; and 8.3.7.
The FortiWeb bug tracked as CVE-2021-42756 was reported as a multiple stack-based buffer overflow vulnerability in the proxy daemon of FortiWeb 5.x all versions; 6.0.7 and below; 6.1.2 and below; 6.2.6 and below; 6.3.16 and below; and 6.4.
Its recommended for the users to do the upgrades as specified in its advisories for the FortiNAC and FortiWeb products.
None of the two vulnerabilities are not exploited in wild by threat actors.