New Fortinet's FortiNAC Vulnerability Exposes Networks to Code Execution Attacks

2023-06-27 05:35

Fortinet has rolled out updates to address a critical security vulnerability impacting its FortiNAC network access control solution that could lead to the execution of arbitrary code.

"A deserialization of untrusted data vulnerability [CWE-502] in FortiNAC may allow an unauthenticated user to execute unauthorized code or commands via specifically crafted requests to the tcp/1050 service," Fortinet said in an advisory published last week.

The shortcoming impacts the following products, with patches available in FortiNAC versions 7.2.2, 9.1.10, 9.2.8, and 9.4.3 or later -.

Also resolved by Fortinet is a medium-severity vulnerability tracked as CVE-2023-33300, an improper access control issue affecting FortiNAC 9.4.0 through 9.4.3 and FortiNAC 7.2.0 through 7.2.1.

The alert follows the active exploitation of another critical vulnerability affecting FortiOS and FortiProxy that could allow a remote attacker to execute arbitrary code or commands via specifically crafted requests.

It also comes more than four months after Fortinet addressed a severe bug in FortiNAC that could lead to arbitrary code execution.

News URL

https://thehackernews.com/2023/06/new-fortinets-fortinac-vulnerability.html

#attack #codeexecution #fortinac #fortinet #vulnerability #CVE-2023-33300

Related Vulnerability

DATE	CVE	VULNERABILITY TITLE	RISK
2025-03-14	CVE-2023-33300	A improper neutralization of special elements used in a command ('command injection') in Fortinet FortiNAC 7.2.1 and earlier, 9.4.3 and earlier allows attacker a limited, unauthorized file access via specifically crafted request in inter-server communication port. CWE-77	0.0

News URL

Related news

Related Vulnerability