On Thursday, 16 February 2023, Fortinet patched two critical unauthenticated remote code execution vulnerabilities, one impacting FortiNAC (CVE-2022-39952) and one impacting FortiWeb (CVE-2021-42756). Both vulnerabilities were discovered by Fortinet’s Product Security team.
Based on CISA’s Known Exploited Vulnerabilities Catalog, threat actors have leveraged Fortinet vulnerabilities in campaigns. However, threat actors have not targeted FortiNAC or FortiWeb products historically. Arctic Wolf Labs has observed proof of concept (PoC) exploit code being made publicly available for CVE-2022-39952. Security researchers have also started seeing active exploitation of CVE-2022-39952 occurring in the wild now that PoC exploit code has been published.
CVE-2022-39952 (CVSS 9.8): An external control of file name or path in FortiNAC’s keyUpload scriptlet could allow an unauthenticated threat actor to perform arbitrary write on the vulnerable system.
|FortiNAC version 9.4.0
FortiNAC version 9.2.0 through 9.2.5
FortiNAC version 9.1.0 through 9.1.7
FortiNAC 8.8 all versions
FortiNAC 8.7 all versions
FortiNAC 8.6 all versions
FortiNAC 8.5 all versions
FortiNAC 8.3 all versions
|FortiNAC version 9.4.1 or above
FortiNAC version 9.2.6 or above
FortiNAC version 9.1.8 or above
FortiNAC version 7.2.0 or above
CVE-2021-42756 (CVSS 9.3): Multiple stack-based buffer overflow vulnerabilities in FortiWeb’s proxy daemon could allow an unauthenticated threat actor to execute arbitrary code via specially crafted HTTP requests.
- Based on the CVE number, Fortinet discovered the vulnerability in 2021. However, it was not disclosed until February 16, 2023.
FortiWeb versions 5.x all versions
FortiWeb 7.0.0 or above
Arctic Wolf will follow its standard internal processes to assess the impact of the newly reported vulnerabilities within its own environment and if impacted, will address it within the established remediation timelines in our Security Patching Policy.
Recommendation #1: Upgrade FortiNAC and/or FortiWEB
Arctic Wolf strongly recommends upgrading FortiNAC and FortiWeb to the latest versions to fully remediate the vulnerabilities and prevent potential exploitation.
FortiNAC version 9.4.1 or above
FortiWeb 7.0.0 or above
Note: Arctic Wolf recommends following change management best practices for applying security patches, including testing changes in a dev environment before deploying to production to avoid any operational impact.