CVE-2022-26118 — Improper Privilege Management in Fortinet Fortianalyzer

CWE-269 — Improper Privilege Management4 documents4 sources

Severity

6.7MEDIUMNVD

EPSS

0.1%

top 74.17%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortianalyzer Fortinet Fortimanager

Timeline

PublishedJul 18

Latest updateJul 19

Description

A privilege chaining vulnerability [CWE-268] in FortiManager and FortiAnalyzer 6.0.x, 6.2.x, 6.4.0 through 6.4.7, 7.0.0 through 7.0.3 may allow a local and authenticated attacker with a restricted shell to escalate their privileges to root due to incorrect permissions of some folders and executable files on the system.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 0.8 | Impact: 5.9

Affected Packages2 packages

▶NVDfortinet/fortimanager6.4.0 — 6.4.8+3

▶NVDfortinet/fortianalyzer6.4.0 — 6.4.8+3

Patches

Patch: fortiguard.com ↗Patch: fortiguard.com ↗

🔴Vulnerability Details

GHSA

GHSA-825g-6mc8-89vv: A privilege chaining vulnerability [CWE-268] in FortiManager and FortiAnalyzer 6↗2022-07-19

▶

CVEList

CVE-2022-26118: A privilege chaining vulnerability [CWE-268] in FortiManager and FortiAnalyzer 6↗2022-07-18

▶

📋Vendor Advisories

Fortinet

A privilege chaining vulnerability [CWE-268] in FortiManager and FortiAnalyzer 6.0.x, 6.2.x, 6.4.0 through 6.4.7, 7.0.0...↗2022-07-18

▶