On January 14, 2025, Fortinet announced several vulnerabilities impacting multiple products. At Systems Engineering, we are highlighting these vulnerabilities as they affect the Fortinet solutions we support. Specifically, these issues impact FortiGate, FortiSwitch, FortiManager, FortiAnalyzer, FortiClient EMS, and FortiClient for Windows.

Systems Engineering is aware of the Fortinet FortiOS, FortiManager, and FortiAnalyzer affecting multiple versions of these products.

Fortinet rates these vulnerabilities as HIGH.

Systems Engineering is aware of the Fortinet FortiManager missing authentication for critical function vulnerability in the fgfmd process, CVE-2024-47575. Reports have shown this vulnerability to be exploited in the wild.

Late yesterday, DigiCert announced a critical incident involving the revocation of a subset of TLS/SSL certificates due to a domain control verification (DCV) issue. While necessary to maintain security standards, this action could potentially disrupt services for some organizations that rely on DigiCert certificates to secure public and private web services.

Last October, Cisco announced a security vulnerability in their Duo Authentication for Windows Logon and RDP that impacted releases 4.0 through 4.2.  In April, Cisco delivered a new release and a fix for CVE-2024-20292.  

Systems Engineering is aware of three Vulnerabilities affecting the Cisco ASA; Cisco Adaptive Security Appliance Web Service Denial of Service Vulnerability - CVE-2024-20353, Cisco Adaptive Security Appliance Command Injection Vulnerability - CVE-2024-20358, and Cisco Adaptive Security Appliance Persistent Local Code Execution Vulnerability - CVE-2024-20359.

Systems Engineering is aware of two vulnerabilities, the Fortinet FortiClient EMS Pervasive SQL injection in DAS component (CVE-2023-48788) and FortiClient EMS - CSV injection in the log download feature (CVE-2023-47534).