Security News > 2023 > February > PoC exploit, IoCs for Fortinet FortiNAC RCE released (CVE-2022-39952)

Horizon3's Attack Team has released a PoC exploit for CVE-2022-39952, a critical vulnerability affecting FortiNAC, Fortinet's network access control solution.

"Similar to the weaponization of previous archive vulnerability issues that allow arbitrary file write, we use this vulnerability to write a cron job to /etc/cron.d/payload. This cron job gets triggered every minute and initiates a reverse shell to the attacker," shared Zach Hanley, Chief Attack Engineer at Horizon3.

"We first create a zip that contains a file and specify the path we want it extracted. Then, we send the malicious zip file to the vulnerable endpoint in the key field. Within a minute, we get a reverse shell as the root user."

He notes, it's possible defenders won't find it if attackers make sure to scrub the log file.

"Arbitrary file write vulnerabilities can be abused in several ways to obtain remote code execution. In this case, we write a cron job to /etc/cron.d/, but attackers could also overwrite and binary on the system that is regularly executed or SSH keys to a user profile," he added.

Enterprise admins who have missed the initial Fortinet alert are advised to update their FortiNAC device(s) to version 9.4.1 or above, 9.2.6 or above, 9.1.8 or above, and 7.2.0 or above as soon as possible, because there are no available workarounds.

News URL

https://www.helpnetsecurity.com/2023/02/21/cve-2022-39952-poc/