Security News > 2023 > February > PoC exploit, IoCs for Fortinet FortiNAC RCE released (CVE-2022-39952)
Horizon3's Attack Team has released a PoC exploit for CVE-2022-39952, a critical vulnerability affecting FortiNAC, Fortinet's network access control solution.
"Similar to the weaponization of previous archive vulnerability issues that allow arbitrary file write, we use this vulnerability to write a cron job to /etc/cron.d/payload. This cron job gets triggered every minute and initiates a reverse shell to the attacker," shared Zach Hanley, Chief Attack Engineer at Horizon3.
"We first create a zip that contains a file and specify the path we want it extracted. Then, we send the malicious zip file to the vulnerable endpoint in the key field. Within a minute, we get a reverse shell as the root user."
He notes, it's possible defenders won't find it if attackers make sure to scrub the log file.
"Arbitrary file write vulnerabilities can be abused in several ways to obtain remote code execution. In this case, we write a cron job to /etc/cron.d/, but attackers could also overwrite and binary on the system that is regularly executed or SSH keys to a user profile," he added.
Enterprise admins who have missed the initial Fortinet alert are advised to update their FortiNAC device(s) to version 9.4.1 or above, 9.2.6 or above, 9.1.8 or above, and 7.2.0 or above as soon as possible, because there are no available workarounds.
News URL
https://www.helpnetsecurity.com/2023/02/21/cve-2022-39952-poc/
Related news
- PoC exploit for critical WhatsUp Gold RCE vulnerability released (CVE-2024-8785) (source)
- Chinese hackers exploit Fortinet VPN zero-day to steal credentials (source)
- China-linked group abuses Fortinet 0-day with post-exploit VPN-credential stealer (source)
- Exploit released for critical WhatsUp Gold RCE flaw, patch now (source)
- Mitel MiCollab zero-day and PoC exploit unveiled (source)
- PoC exploit chains Mitel MiCollab 0-day, auth-bypass bug to access sensitive files (source)
- 390,000+ WordPress Credentials Stolen via Malicious GitHub Repository Hosting PoC Exploits (source)
- Fortinet Warns of Critical FortiWLM Flaw That Could Lead to Admin Access Exploits (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-02-16 | CVE-2022-39952 | Exposure of Resource to Wrong Sphere vulnerability in Fortinet Fortinac A external control of file name or path in Fortinet FortiNAC versions 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, 8.8.0 through 8.8.11, 8.7.0 through 8.7.6, 8.6.0 through 8.6.5, 8.5.0 through 8.5.4, 8.3.7 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP request. | 9.8 |