Security News > 2023 > February > Hackers now exploit critical Fortinet bug to backdoor servers
Threat actors are targeting Internet-exposed Fortinet appliances with exploits targeting CVE-2022-39952, an unauthenticated file path manipulation vulnerability in the FortiNAC webserver that can be abused for remote command execution.
These attacks come one day after Horizon3 security researchers released proof-of-concept exploit code for the critical-severity flaw that will add a cron job to initiate a reverse shell on compromised systems as the root user.
Fortinet disclosed the vulnerability in a security advisory on Thursday, saying the bug affects multiple versions of its FortiNAC network access control solution and allows attackers to execute unauthorized code or commands following successful exploitation.
Since Fortinet has not provided mitigation guidance or workarounds, updating is the only way to thwart attack attempts.
Malicious activity observed while analyzing these ongoing attacks matches Horizon3's PoC exploit capabilities, with CronUp seeing threat actors using corn jobs to open reverse shells to attackers' IP addresses.
In December, Fortinet warned customers to patch FortiOS SSL-VPN appliances against an actively exploited security bug that enables unauthenticated remote code execution on vulnerable devices.
News URL
Related news
- Hackers Exploit Critical Craft CMS Flaws; Hundreds of Servers Likely Compromised (source)
- Apache Parquet exploit tool detect servers vulnerable to critical flaw (source)
- Türkiye Hackers Exploited Output Messenger Zero-Day to Drop Golang Backdoors on Kurdish Servers (source)
- China-Linked Hackers Exploit SAP and SQL Server Flaws in Attacks Across Asia and Brazil (source)
- Fortinet Urges FortiSwitch Upgrades to Patch Critical Admin Password Change Flaw (source)
- Critical FortiSwitch flaw lets hackers change admin passwords remotely (source)
- Hackers exploit WordPress plugin auth bypass hours after disclosure (source)
- Fortinet: Hackers retain access to patched FortiGate VPNs using symlinks (source)
- Hackers exploit old FortiGate vulnerabilities, use symlink trick to retain limited access to patched devices (source)
- Fortinet Warns Attackers Retain FortiGate Access Post-Patching via SSL-VPN Symlink Exploit (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-02-16 | CVE-2022-39952 | Exposure of Resource to Wrong Sphere vulnerability in Fortinet Fortinac A external control of file name or path in Fortinet FortiNAC versions 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, 8.8.0 through 8.8.11, 8.7.0 through 8.7.6, 8.6.0 through 8.6.5, 8.5.0 through 8.5.4, 8.3.7 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP request. | 9.8 |