Fortinet Critical Remote Code Execution (RCE) Vulnerabilities (CVE-2022-39952 and CVE-2021-42756)
Dark Lab on Mar 14 2023
Share:
An unauthenticated attacker can send specially crafted HTTP requests to the vulnerable FortiNAC webserver, Successful exploitation of CVE-2022-39952 would potentially allow an attacker to achieve remote code execution as the root user. Security researchers have validated the exploit and announced on 18 February 2023 that a blog post and PoC will be made publicly available. Based on recent incident experience and open source intelligence, PwC’s Dark Lab observe threat actors continuously weaponise critical vulnerabilities – particularly RCE vulnerabilities – within three days of PoCs being published. We posit that upon the PoC release of CVE-2022-39952, threat actors will attempt to exploit exposed FortiNAC servers.
Update: on 23 February 2023 a PoC was released
The vendor advises end users leveraging vulnerable versions of FortiNAC and FortiWeb to apply the latest patches as soon as possible to remediate the vulnerabilities. No further workarounds or mitigations have been disclosed.
https://github.com/horizon3ai/CVE-2022-39952
https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs/fbclid=IwAR3QTxHQIBvPSDeghpqeXilneXNCCAcnABN3VLUuuU5H3If6uzFpK1I2Tiw&mibextid=Zxz2cZ
https://www.fortiguard.com/psirt/FG-IR-22-300
https://www.fortiguard.com/psirt/FG-IR-21-186
Update: on 23 February 2023 a PoC was released
The vendor advises end users leveraging vulnerable versions of FortiNAC and FortiWeb to apply the latest patches as soon as possible to remediate the vulnerabilities. No further workarounds or mitigations have been disclosed.
https://github.com/horizon3ai/CVE-2022-39952
https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs/fbclid=IwAR3QTxHQIBvPSDeghpqeXilneXNCCAcnABN3VLUuuU5H3If6uzFpK1I2Tiw&mibextid=Zxz2cZ
https://www.fortiguard.com/psirt/FG-IR-22-300
https://www.fortiguard.com/psirt/FG-IR-21-186