FortiNAC Vulnerability Exploited in Wild within minutes after release of PoC

Researchers from Horizon3 earlier this week released a PoC exploit for a critical-severity vulnerability, tracked as CVE-2022-39952, in Fortinet’s FortiNAC network access control solution.

Fortinet has released security updates last week to address two critical vulnerabilities in FortiNAC and FortiWeb solutions, tracked as CVE-2022-39952 and CVE-2021-42756, are respectively an external control of file name or path in Fortinet FortiNAC and a collection of stack-based buffer overflow issues in the proxy daemon of FortiWeb.

Advertisements

The affected products are:

FortiNAC version 9.4.0
FortiNAC version 9.2.0 through 9.2.5
FortiNAC version 9.1.0 through 9.1.7
FortiNAC 8.8 all versions
FortiNAC 8.7 all versions
FortiNAC 8.6 all versions
FortiNAC 8.5 all versions
FortiNAC 8.3 all versions

The CVE-2022-39952 vulnerability is fixed in FortiNAC 9.4.1 and later, 9.2.6 and later, 9.1.8 and later, and 7.2.0 and later.

The PoC released writes a cron job to /etc/cron.d/ that creates a reverse shell every minute. Shadowserver reported that attackers started targeting its honeypots to exploit the flaw. The threat actors started exploiting the Fortinet FortiNAC vulnerability CVE-2022-39952 the same day Horizon3 released the PoC exploit.

We are seeing @Fortinet FortiNAC CVE-2022-39952 exploitation attempts from multiple IPs in our honeypot sensors. A PoC was published earlier today. Make sure to upgrade your FortiNAC as specified in: https://t.co/edZEG2VOzL
— Shadowserver (@Shadowserver) February 21, 2023