"Fortinet is aware of an instance where this vulnerability was exploited, and recommends immediately validating your systems against the following indicator of compromise in the device's logs," Fortinet said.
The firm has released updates for FortiOS, FortiProxy and FortiSwitchManager to address the flaw, which affects several of its security appliances.
"An authentication bypass using an alternate path or channel vulnerability [CWE-288] in FortiOS, FortiProxy and FortiSwitchManager may allow an unauthenticated atttacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests."
However, for customers that can't apply updates immediately, it has also provided workarounds to disable HTTP/HTTPS administrative interface or limit IP addresses that can reach the administrative interface.
Separately, CISA on Tuesday also added the Windows flaw CVE-2022-41033 to its KEV catalog. Microsoft released an update for it on Tuesday to address a Windows COM+ Event System Service elevation of privilege vulnerability. Microsoft confirmed it had been exploited but noted that the vulnerability had not been publicly disclosed.
CISA has ordered federal agencies to apply fixes for both flaws by November 1.