Upgrade vulnerable Fortinet FortiNAC versions immediately, admins urged

A proof-of-concept exploit for a critical vulnerability affecting some versions of Fortinet's zero-trust solution was published by researchers yesterday

A proof of concept exploit has been published by researchers for a critical vulnerability in some versions of Fortinet's FortiNAC network access control solution.

FortiNAC is a zero-trust access solution that oversees and protects digital assets connected to the enterprise network, covering devices from IT, IoT, OT/ICS to IoMT.

The vulnerability, tracked as CVE-2022-39952, has a CVSS v3 score of 9.8 out of 10. This remote code execution (RCE) vulnerability, discovered by Gwendal Guégniaud of Fortinet, allows an unauthenticated attacker to write arbitrary files on the system and as a result obtain remote code execution in the context of the root user.

An in-depth breakdown of the vulnerability and how it can be exploited was published by the Horizon3 cybersecurity group in a blog post yesterday, and a proof-of-concept exploit for CVE-2022-39952 was posted on Horizon3's GitHub repository yesterday.

"We use this vulnerability to write a cron job to /etc/cron.d/payload. This cron job gets triggered every minute and initiates a reverse shell to the attacker, Zach Hanley of Horizon3 wrote on the blog.

"We first create a zip that contains a file and specify the path we want it extracted. Then, we send the malicious zip file to the vulnerable endpoint in the key field. Within a minute, we get a reverse shell as the root user."

FortiNAC versions vulnerable to CVE-2022-39952 are 8.3, 8.5-8.8, 9.1.0-9.1.7, 9.2-9.2.5 and 9.4.0.

Given the critical rating of the vulnerability and the availability of a POC exploit, administrators are urged to upgrade to FortiNAV versions that are not affected. These are 9.4.1 and above, 9.2.6 and above, 9.1.8 and above and 7.2.0 and above.