June 25, 2023

Fortinet has updated FortiNAC to address various of vulnerabilities, including critical RCE vulnerability that might be exploited by malicious actors in order to perform remote code execution without authentication.

The Critical Vulnerability

• CVE-2023-33299 (CVSS score: 9.6, Critical) – A deserialization of untrusted data vulnerability, successful exploitation may allow an unauthenticated user to execute unauthorized code or commands via specifically crafted requests to the TCP/1050 service.

Affected Products

• FortiNAC version 9.4.0 through 9.4.2
• FortiNAC version 9.2.0 through 9.2.7
• FortiNAC version 9.1.0 through 9.1.9
• FortiNAC version 7.2.0 through 7.2.1
• FortiNAC 8.8 all versions
• FortiNAC 8.7 all versions
• FortiNAC 8.6 all versions
• FortiNAC 8.5 all versions
• FortiNAC 8.3 all versions

Mitigation

CYREBRO strongly recommends all Fortinet customers to update to the patched versions of FortiNAC.

It is also recommended to make sure that the other Forti products are updated, such as FortiOS, FortiProxy.

References: Fortinet Advisory