Security News > 2023 > February > Exploit released for critical Fortinet RCE flaw, patch now
Security researchers have released a proof-of-concept exploit for a critical-severity vulnerability in Fortinet's FortiNAC network access control suite.
Proof-of-concept exploit code is also available from the company's repository on GitHub.
The analysts discovered that the fix for CVE-2022-39952 removed 'keyUpload.jsp,' an endpoint that parses requests for a 'key' parameter, writes it on a config file, and then executes a bash script, 'configApplianceXml.
The bash script executes the 'unzip' command on the newly written file, but just before that, the script calls "Cd /.".
"Because the working directory is /, the call unzip inside the bash script allows any arbitrary file to be written," the researchers added.
The 'key' parameter ensures that the malicious request will reach 'keyUpload.jsp,' which is the unauthenticated endpoint that Fortinet removed in the fixed versions of FortiNAC. The code from Horizon3 automates this process and could be picked up and modified by threat actors into a weaponized exploit.
News URL
Related news
- Critical Ivanti RCE flaw with public exploit now used in attacks (source)
- Week in review: Critical Zimbra RCE vulnerability exploited, Patch Tuesday forecast (source)
- Qualcomm Urges OEMs to Patch Critical DSP and WLAN Flaws Amid Active Exploits (source)
- CISA says critical Fortinet RCE flaw now exploited in attacks (source)
- Akira and Fog ransomware now exploit critical Veeam RCE flaw (source)
- VMware fixes bad patch for critical vCenter Server RCE flaw (source)
- Microsoft SharePoint RCE flaw exploits in the wild – you've had 3 months to patch (source)
- Week in review: Fortinet patches critical FortiManager 0-day, VMware fixes vCenter Server RCE (source)
- Synology Urges Patch for Critical Zero-Click RCE Flaw Affecting Millions of NAS Devices (source)
- Critical 9.8-rated VMware vCenter RCE bug exploited after patch fumble (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-02-16 | CVE-2022-39952 | Exposure of Resource to Wrong Sphere vulnerability in Fortinet Fortinac A external control of file name or path in Fortinet FortiNAC versions 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, 8.8.0 through 8.8.11, 8.7.0 through 8.7.6, 8.6.0 through 8.6.5, 8.5.0 through 8.5.4, 8.3.7 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP request. | 9.8 |