Get in Touch

Please get in touch using the form below.

Fortinet remediates critical FortiNAC RCE vulnerability

Home / Threat Intelligence bulletins / Fortinet remediates critical FortiNAC RCE vulnerability

Target Industry

Indiscriminate, opportunistic targeting.

Overview

Fortinet has released a remediation for a critical-severity flaw, tracked as CVE-2023-33299 (CVSSv3 score: 9.6), which pertains to a deserialization vulnerability that could lead to remote code execution (RCE) capabilities.

Impact

Successful exploitation of CVE-2023-33299 could allow an unauthenticated threat actor to execute unauthorised code or commands via specifically crafted requests, resulting in the compromise in the integrity of data.

Vulnerability Detection

Fortinet has released security patches for the vulnerability. As such, previous versions are vulnerable to potential exploitation.

Affected Products

FortiNAC version 9.4.0 through 9.4.2
FortiNAC version 9.2.0 through 9.2.7
FortiNAC version 9.1.0 through 9.1.9
FortiNAC version 7.2.0 through 7.2.1
FortiNAC 8.8, all versions
FortiNAC 8.7, all versions
FortiNAC 8.6, all versions
FortiNAC 8.5, all versions
FortiNAC 8.3, all versions

Containment, Mitigations & Remediations

No mitigations are currently available to address the vulnerability. It is therefore strongly recommended that users apply the relevant updates as soon as possible. The updated versions are:

FortiNAC 9.4.3 or above
FortiNAC 9.2.8 or above
FortiNAC 9.1.10 or above
FortiNAC 7.2.2 or above

Threat Landscape

Fortinet occupies a significant proportion of the networking-hardware market share. Given that threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to develop exploits for, Fortinet networking hardware products have emerged as a prime target for threat actors. Due to the fact that Fortinet products have become an integral aspect of business operations, threat actors will continue to exploit the vulnerabilities of these product types in an attempt to exfiltrate sensitive data contained therein or impact associated business operations.

Threat Group

No attribution to specific threat actors or groups has been identified at the time of writing.

Mitre Methodologies

Common Weakness Enumeration (CWE):

CWE-502 – Deserialization of Untrusted Data

Further Information

Fortinet Advisory

Intelligence Terminology Yardstick