On June 23, 2023, Fortinet disclosed a critical Remote Code Execution (RCE) vulnerability (CVE-2023-33299) affecting FortiNAC, a network access control solution utilized by organizations to manage network access policies and compliance.
This vulnerability is the result of the deserialization of untrusted data. Deserialization vulnerabilities such as this one are dangerous because a threat actor can insert a modified serialized object into the system which leads to unauthenticated RCE.
Fortinet products are an attractive target for threat actors due to the level of access on a network a threat actor can achieve once a system is compromised. Additionally, Fortinet products have a large presence in enterprise networks globally which allow threat actors to target organizations across multiple industries.
| Affected FortiNAC Versions |
| Version 9.4.0 through 9.4.2 |
| Version 9.2.0 through 9.2.7 |
| Version 9.1.0 through 9.1.9 |
| Version 7.2.0 through 7.2.1 |
| 8.8 all versions |
| 8.7 all versions |
| 8.6 all versions |
| 8.5 all versions |
| 8.3 all versions |
Recommendation
Apply the Latest Security Patches Released by Fortinet
Arctic Wolf strongly recommends updating FortiNAC to the following versions outlined in the table below to remediate the newly disclosed vulnerability.
Note: Arctic Wolf recommends the following change management best practices for deploying security patches, including testing changes in a dev environment before deploying to production to avoid operational impact.
| Fixed FortiNAC Versions |
| Version 9.4.3 or above |
| Version 9.2.8 or above |
| Version 9.1.10 or above |
| Version 7.2.2 or above |
