Home / Threat Intelligence bulletins / Fortinet remediates critical FortiNAC RCE vulnerability

Target Industry

Indiscriminate, opportunistic targeting.


Fortinet has released a remediation for a critical-severity flaw, tracked as CVE-2023-33299 (CVSSv3 score: 9.6), which pertains to a deserialization vulnerability that could lead to remote code execution (RCE) capabilities.


Successful exploitation of CVE-2023-33299 could allow an unauthenticated threat actor to execute unauthorised code or commands via specifically crafted requests, resulting in the compromise in the integrity of data.

Vulnerability Detection

Fortinet has released security patches for the vulnerability. As such, previous versions are vulnerable to potential exploitation.

Affected Products

  • FortiNAC version 9.4.0 through 9.4.2
  • FortiNAC version 9.2.0 through 9.2.7
  • FortiNAC version 9.1.0 through 9.1.9
  • FortiNAC version 7.2.0 through 7.2.1
  • FortiNAC 8.8, all versions
  • FortiNAC 8.7, all versions
  • FortiNAC 8.6, all versions
  • FortiNAC 8.5, all versions
  • FortiNAC 8.3, all versions

Containment, Mitigations & Remediations

No mitigations are currently available to address the vulnerability. It is therefore strongly recommended that users apply the relevant updates as soon as possible. The updated versions are:

  • FortiNAC 9.4.3 or above
  • FortiNAC 9.2.8 or above
  • FortiNAC 9.1.10 or above
  • FortiNAC 7.2.2 or above

Threat Landscape

Fortinet occupies a significant proportion of the networking-hardware market share. Given that threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to develop exploits for, Fortinet networking hardware products have emerged as a prime target for threat actors. Due to the fact that Fortinet products have become an integral aspect of business operations, threat actors will continue to exploit the vulnerabilities of these product types in an attempt to exfiltrate sensitive data contained therein or impact associated business operations.

Threat Group

No attribution to specific threat actors or groups has been identified at the time of writing.

Mitre Methodologies

Common Weakness Enumeration (CWE):

CWE-502 – Deserialization of Untrusted Data

Further Information

Fortinet Advisory


Intelligence Terminology Yardstick