Exploit Released for Critical Fortinet Remote Code Flaws

Written by Gabby Lee

February 22, 2023

Researchers have recently unveiled a proof-of-concept exploit that targets the RCE vulnerability (CVE-2022-39952) found in Fortinet’s FortiNAC network access control suite.

On February 16, Fortinet disclosed the vulnerability, assigning it a severity score of 9.8. The vendor cautioned that an unauthorized attacker could exploit it to write arbitrary files on the system and gain remote code execution abilities with the highest privileges.

Organizations currently using FortiNAC versions 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, and all versions on the 8.8, 8.7, 8.6, 8.5, and 8.3 branches were advised to prioritize implementing the available security updates.

Today, Horizon3 cybersecurity firm’s experts have published a technical post explaining the vulnerability and its potential exploits. The firm has also made available proof-of-concept (PoC) exploit code from its repository on GitHub.

The FortiNAC Exploit Explained

The PoC released involves writing a cron job to /etc/cron.d/, which triggers every minute to initiate a root reverse shell to grant remote code execution capabilities to the attackers. The analysts discovered that the CVE-2022-39952 fix removed ‘keyUpload.jsp,’ an endpoint that parses requests for a ‘key’ parameter, writes it on a config file, and then executes a bash script, ‘configApplianceXml.

Exploit Released for Critical Fortinet Remote Code Flaws

The newly written file triggers the ‘unzip’ command in the bash script, which executes after the script calls “cd /. Unzip allows placing files in any paths provided that they do not traverse above the current working directory.

Exploit Released for Critical Fortinet Remote Code Flaws

Consequently, an attacker can create a ZIP archive that carries the payload, specify where it should be extracted, and send it to the target endpoint using the key parameter. The ‘key’ parameter ensures that the malicious request reaches ‘keyUpload.jsp,’ – the unauthenticated endpoint that Fortinet removed in their renewed versions of FortiNAC.

Exploit Released for Critical Fortinet Remote Code Flaws

The code provided by Horizon3 simplifies this process, which could be adopted and tweaked by malicious actors to develop weaponized exploits. Conversely, it could also aid defenders in building appropriate protection against attempts to exploit corporate networks.

In light of this, FortiNAC administrators are strongly advised to upgrade to a non-affected version of the product immediately, specifically FortiNAC 9.4.1 or later, 9.2.6 or above, 9.1.8 or newer, and 7.2.0 or later.

Related Articles

Stay Up to Date With The Latest News & Updates

Join Our Newsletter


Subscribe To Our Newsletter

Sign up to our weekly newsletter summarizing everything thats happened in data security, storage, and backup and disaster recovery

You have Successfully Subscribed!