Critical FortiNAC RCE Vulnerability Patched by Fortinet

By Richard Anderson

A critical vulnerability in FortiNAC network access control solutions has been patched by Fortinet. Successful exploitation of the flaw would allow an attacker to remotely execute arbitrary code. The vulnerability is tracked as CVE-2023-33299 and has a CVSS severity score of 9.6/10.

Fortinet’s FortiNAC is a zero-trust access solution that is used to view devices and users on the network, giving admins granular control over network access.  The vulnerability is due to the deserialization of untrusted data and can be exploited by an attacker to execute unauthorized code or commands via specifically crafted requests to the TCP/1050 service.

The vulnerability affects FortiNAC versions 7.2.0 to 7.2.1, 9.1.0 to 9.1.9, 9.2.0 to 9.2.7, and 9.4.0 to 9.4.2, as well as all versions of 8.3, 8.5, 8.6, 8.7, ad 8.8. The vulnerability has been fixed in FortiNAC versions 9.4.3, 9.2.8, 9.1.10, and 7.2.2. Patches for FortiNAC 8.x versions will not be released.

The updated versions also include a fix for a medium-severity improper access control vulnerability in FortiNAC’s TCP/5555 service. The flaw is tracked as CVE-2023-33300 and has a CVSS score of 4.8. The flaw allows an unauthenticated attacker to copy local files to other local directories via specially crafted input fields. The potential for exploitation of this flaw is limited since an attacker would be required to have an existing foothold with sufficiently high privileges. The vulnerability affects FortiNAC 9.4.0 to 9.4.3 and FortiNAC 7.2.0 to 7.2.1, and has been fixed in versions 7.2.2 and 9.4.4

Vulnerabilities in FortiNAC solutions are targeted by malicious actors. A previous critical RCE vulnerability, CVE-2022-39952, was actively rapidly exploited after a Proof-of-Concept (PoC) exploit was published. Patches should be applied as soon as possible, although Fortinet said the flaws do not appear to have been exploited to date.

Twitter Facebook LinkedIn Reddit Link copied to clipboard

Posted by

Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news