Security News > 2023 > June > Fortinet fixes critical FortiNAC remote command execution flaw

Cybersecurity solutions company Fortinet has updated its zero-trust access solution FortiNAC to address a critical-severity vulnerability that attackers could leverage to execute code and commands.

FortiNAC is a allows organizations to manage network-wide access policies, gain visibility of devices and users, and secure the network against unauthorized access and threats.

"A deserialization of untrusted data vulnerability [CWE-502] in FortiNAC may allow an unauthenticated user to execute unauthorized code or commands via specifically crafted requests to the TCP/1050 service" - Fortinet.

Along with the critical RCE, Fortinet also annouced today that it fixed a medium-severity vulnerability tracked as CVE-2023-33300 - an improper access control issue affecting FortiNAC 9.4.0 through 9.4.3 and FortiNAC 7.2.0 through 7.2.1.

"An improper neutralization of special elements used in a command vulnerability [CWE-77] in FortiNAC TCP/5555 service may allow an unauthenticated attacker to copy local files of the device to other local directories of the device via specially crafted input fields" - Fortinet.

A recent example is CVE-2022-39952, a critical RCE impacting FortiNAC that received a fix in mid-February but hackers started using it in attacks a few days later, after proof-of-concept code was published.

News URL

https://www.bleepingcomputer.com/news/security/fortinet-fixes-critical-fortinac-remote-command-execution-flaw/