Fortinet has confirmed that a critical vulnerability in its FortiWeb web application firewall (WAF) is being actively exploited in the wild. The security flaw, tracked as CVE-2022-39952, carries a CVSS score of 9.8 out of 10, indicating its severe nature.

The vulnerability enables a remote, unauthenticated attacker to bypass authentication and gain complete administrative access to an affected device’s management interface. Fortinet issued a security advisory urging customers to take immediate action.

Vulnerability Details and Impact

The root cause of CVE-2022-39952 is an alternative path or channel issue within the FortiWeb management interface. Successful exploitation grants an attacker full control over the compromised system. With administrative privileges, an intruder can view or alter device configurations, create new malicious administrator accounts, disable the WAF’s security functions, or shut down the device entirely.

The vulnerability impacts multiple versions of the FortiWeb WAF, including versions 7.0.0 through 7.0.2, all 6.4 versions, and 6.3.0 through 6.3.15. The flaw was discovered and reported to Fortinet by security researchers from the firm Lexfo.

Official Response and Mitigation

In response to the active exploitation, Fortinet has released security patches to address the vulnerability. The company strongly advises administrators to upgrade to the patched versions, which are FortiWeb 7.0.3 or above and FortiWeb 6.3.16 or above.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also acknowledged the threat by adding CVE-2022-39952 to its Known Exploited Vulnerabilities (KEV) catalog. Following this addition, CISA issued a directive requiring Federal Civilian Executive Branch agencies to apply the necessary patches by a specified deadline.