Fortinet FortiNAC Urged to Address Critical Vulnerability

The security of Fortinet FortiNAC appliances is under attack, with proof-of-concept exploit code now available and active exploitation attempts in the wild.

FortiNAC is a zero-trust network access solution that can be deployed both as a hardware device or as a virtual machine appliance, and is used for network segmentation, visibility, and control of devices and users connected to the network. With more than 700,000 Fortinet devices connected to the internet around the world, the potential damage of this vulnerability is significant.

The vulnerability, tracked as CVE-2022-39952, was discovered internally by a member of the Fortinet product security team and is rated 9.8 out of 10 on the CVSS severity scale. It allows unauthenticated attackers to write arbitrary files on the system, which can result in code or command execution. Security consultancy firm Horizon3.ai were able to confirm the vulnerability, located in a file called keyUpload.jsp that allows the upload of files that are then saved locally in the location /bsc/campusMgr/config.applianceKey.

Exploitation of the vulnerability can take many forms, including writing malicious payloads under /etc/cron.d/ which is the scheduled task mechanism in Linux, overwriting binary files on the system that the OS will execute, or adding an SSH key to a user profile to enable remote access. Attackers have already been seen creating reverse shells and deploying webshells under bsc/campusMgr/ui/ROOT/fortii.jsp and bsc/campusMgr/ui/ROOT/shell.jsp.

Fortinet advises users to upgrade to FortiNAC version 9.2.6 or above, 9.1.8 or above and 7.2.0 or above, depending on which supported release they use, to protect against this vulnerability. With active attacks already underway, users are urged to patch their systems as soon as possible.