CVE-2021-44168: 
FortiOS vulnerability analysis and mitigation

A download of code without integrity check vulnerability (CVE-2021-44168) was discovered in the 'execute restore src-vis' command of FortiOS versions before 7.0.3. The vulnerability was disclosed in December 2021 and affects Fortinet's FortiOS operating system (NVD, CVE).

The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) by NIST NVD with vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, while Fortinet assigned it a score of 3.3 (LOW). The vulnerability is classified as CWE-494 (Download of Code Without Integrity Check) and affects multiple versions of FortiOS including versions up to 6.0.14, 6.2.0 to 6.2.10, 6.4.0 to 6.4.8, and 7.0.0 to 7.0.3 (NVD).

The vulnerability allows a local authenticated attacker to download arbitrary files on the device via specially crafted update packages. This could potentially lead to unauthorized access to files and system compromise (NVD).

Organizations are advised to update to FortiOS version 7.0.3 or later to address this vulnerability. CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of this vulnerability as part of their vulnerability management practice (CISA).