Improper Privilege Management in FortiOS - CVE-2022-38378

 

Improper Privilege Management in FortiOS - CVE-2022-38378

Published: February 17, 2023


Vulnerability identifier: #VU72348
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2022-38378
CWE-ID: CWE-269
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Fortinet, Inc
Affected software:
FortiOS

Detailed vulnerability description

The vulnerability allows a remote user to escalate privileges on the device.

The vulnerability exists due to improper privilege management. A remote administrative user with access to the admin profile section (System subsection Administrator Users) can modify their own profile and upgrade their privileges to Read Write via CLI or GUI commands.


How to mitigate CVE-2022-38378

Install updates from vendor's website.

Sources