CVE-2022-43947: 
FortiOS vulnerability analysis and mitigation

An improper restriction of excessive authentication attempts vulnerability [CWE-307] was discovered in Fortinet FortiOS and FortiProxy administrative interface. The vulnerability affects FortiOS versions 7.2.0 through 7.2.3 and before 7.0.10, FortiProxy versions 7.2.0 through 7.2.2 and before 7.0.8, as well as several legacy versions. The vulnerability was internally discovered by Goutham Rukmasah from Fortinet's FortiGuard Labs and was initially published on April 11, 2023 (Fortinet Advisory).

The vulnerability allows an attacker with a valid user account to perform brute-force attacks on other user accounts by injecting valid login sessions. The severity is rated as HIGH with a CVSS v3.1 base score of 8.8 (NIST) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, though Fortinet rates it as MEDIUM with a CVSS score of 5.0 (NVD).

The vulnerability could allow attackers to bypass authentication controls and potentially gain unauthorized access to user accounts through brute-force attacks. This could lead to unauthorized access to administrative interfaces and potential system compromise (Fortinet Advisory).

Fortinet has released patches to address this vulnerability. Users are advised to upgrade to FortiProxy version 7.2.2 or above, FortiProxy version 7.0.8 or above, FortiOS version 7.2.4 or above, FortiOS version 7.0.11 or above, or FortiOS version 6.4.13 or above. FortiOS versions 7.4 and 7.6 are not affected by this vulnerability (Fortinet Advisory).