A world of hurt for Fortinet and Zoho after users fail to install patches
Organizations around the world are once again learning the risks of not installing security updates as multiple threat actors race to exploit two recently patched vulnerabilities that allow them to infect some of the most critical parts of a protected network.
The vulnerabilities both carry severity ratings of 9.8 out of a possible 10 and reside in two unrelated products crucial in securing large networks. The first, tracked as CVE-2022-47966, is a pre-authentication remote code execution vulnerability in 24 separate products from software maker Zoho that use the company’s ManageEngine. It was patched in waves from last October through November. The second vulnerability, CVE-2022-39952, affects a product called FortiNAC, made by cybersecurity company Fortinet and was patched last week.
Both ManageEngine and FortiNAC are billed as zero-trust products, meaning they operate under the assumption a network has been breached and constantly monitor devices to ensure they’re not infected or acting maliciously. Zero-trust products don’t trust any network devices or nodes on a network and instead actively work to verify they’re safe.