Today CISA announced that it had added a use of hard-coded credentials vulnerability in the FortiGuard FortiOS product to their Known Exploited Vulnerabilities (KEV) catalog. The vulnerability was previously reported by FortiGuard on June 30th, 2020, and the advisory was most recently updated on February 22nd, 2024. New versions that mitigate the vulnerabilities (two others also listed in this advisory). On December 8th, 2023 SaladAndOnionRings published an exploit that allows decryption of FortiGuard passwords based upon this vulnerability.
CISA is requiring federal agencies using affected FortiGuard
products to apply “mitigations per vendor instructions, follow applicable BOD
22-01 guidance for cloud services, or discontinue use of the product if
mitigations are unavailable.” A deadline of July 16th, 2025 has been
set to meet this requirement.
Posts
No comments:
Post a Comment