Got one:
Logger: homeassistant.components.http.security_filter
Source: components/http/security_filter.py:50
Integration: HTTP (documentation, issues)
First occurred: 19 January 2021, 21:09:27 (1 occurrences)
Last logged: 19 January 2021, 21:09:27
Filtered a request with a potential harmful query string: /remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession
does that imply the integration HTTP is the risky one, which is strange as its not a custom one
or is it the sslvpn mentioned
I think http is the integration that found the dodgy URL. It was asked for a URL that the new filter does not like.
What generated that URL doesn’t seem to be known.
Probably unrelated. /remote/fgt_lang looks like someone trying to exploit a FortiGate device (though the request is definitly malicious).
Well they’re way off on that attack attempt.
I would be more concerned that something is running on your system generating that request. Given the little information we have, could that be a custom component generating that URL and HA filtering it?
Any chance you’ll list the custom components you have running?
You are using a custom integration for bwalarm which has not been tested by Home Assistant. This component might cause stability problems, be sure to disable it if you experience issues with Home Assistant.
You are using a custom integration for sun2 which has not been tested by Home Assistant. This component might cause stability problems, be sure to disable it if you experience issues with Home Assistant.
You are using a custom integration for bom which has not been tested by Home Assistant. This component might cause stability problems, be sure to disable it if you experience issues with Home Assistant.
You are using a custom integration for bom_forecast which has not been tested by Home Assistant. This component might cause stability problems, be sure to disable it if you experience issues with Home Assistant.Is it necessarily a custom integration generating this request or could this ‘simply’ be a direct outside request to the HA http server component, basically someone (would doesn’t even know you’re running HA) trying random exploits on your IP and the HA port ?
I think this is a likely explanation. I can go to my own instance and append that URL without ever logging in and get the same warning in my logs.
The error is coming from the http integration, so the request could have come from anywhere that has access to the HA device (or VM if that is the case).
Right. So that’s probably unrelated to this security bulletin, although the filter caught it too. If you throw out a net…
Filtering suspicious requests on any http server is always a good idea anyway.
I have also this error now.
So someone is trying to hack your fortinet firewall. If you have one, you should have upgraded it and if so you should be OK.
If you don’t have one you are probably also OK. In fact I doubt that you are running HA on a fortinet firewall at all 
I don’t have fortinet firewall
Thx I’m tranquilized
I’m also getting this warning now and I don’t use any custom components. Any ideas what it is?
Which warning?
The one in the opening post? That’s a warning you get because:
It’s nothing to worry about - as you’ll see if you read the thread.
Yes, but it seemed like people were blaming it on custom components. Thanks for clarifying.