CVE-2022-39948: 
FortiOS vulnerability analysis and mitigation

An improper certificate validation vulnerability (CVE-2022-39948) was discovered in FortiOS and FortiProxy products. The vulnerability affects FortiOS versions 7.2.0 through 7.2.3, 7.0.0 through 7.0.7, 6.4 all versions, 6.2 all versions, 6.0 all versions and FortiProxy versions 7.0.0 through 7.0.6, 2.0 all versions, and 1.2 all versions. This vulnerability was publicly disclosed on February 16, 2023 (NVD).

The vulnerability is classified as an improper certificate validation issue (CWE-295). It received a CVSS v3.1 base score of 7.4 (HIGH) from NVD with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N, while Fortinet assessed it with a score of 4.8 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N (NVD).

The vulnerability affects the communication channel between the FortiOS/FortiProxy device and remote servers hosting threat feeds when configured as Fabric connectors. If exploited, it could allow an attacker to intercept and potentially manipulate the communication between the affected systems (NVD).

Fortinet has released security patches to address this vulnerability. Users are advised to upgrade to the latest versions of the affected products (Fortiguard).