CVE-2022-26122

CWE-3454 documents4 sources

Severity

8.6HIGH

EPSS

0.1%

top 69.37%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortimail Fortinet Fortios Fortinet Antivirus Engine

Timeline

PublishedNov 2

Description

An insufficient verification of data authenticity vulnerability [CWE-345] in FortiClient, FortiMail and FortiOS AV engines version 6.2.168 and below and version 6.4.274 and below may allow an attacker to bypass the AV engine via manipulating MIME attachment with junk and pad characters in base64.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

▶NVDfortinet/fortios6.0.0 — 6.0.15+4

▶NVDfortinet/fortimail6.0.0 — 6.0.12+4

▶NVDfortinet/antivirus_engine14 versions+13

Patches

Patch: fortiguard.com ↗Patch: fortiguard.com ↗

🔴Vulnerability Details

GHSA

GHSA-8xr5-vrfj-p7x2: An insufficient verification of data authenticity vulnerability [CWE-345] in FortiClient, FortiMail and FortiOS AV engines version 6↗2022-11-02

▶

CVEList

CVE-2022-26122: An insufficient verification of data authenticity vulnerability [CWE-345] in FortiClient, FortiMail and FortiOS AV engines version 6↗2022-11-02

▶

📋Vendor Advisories

Fortinet

Evasion by manipulating MIME attachment↗2022-11-02

▶