Fortinet FortiNAC - Remote Code Execution (CVE-2022-39952)

Name: Fortinet FortiNAC - Remote Code Execution (CVE-2022-39952)
Published: 2023-03-07T00:00:00.000Z

Severity
CVE: CVE-2022-39952
CVSSv3 Score: 9.8
Exploitable with Sniper: No
Vulnerability description: Fortinet FortiNAC server is vulnerable to CVE-2022-39952, a Remote Code Execution through an Arbitrary File Upload vulnerability, affecting the /configWizard/keyUpload.jsp. The root cause of this vulnerability consists in poor handling of user uploaded archives via the KeyUpload.jsp endpoint. The archives are automatically extracted as the root user in the / directory, allowing an attacker to upload any file anywhere in the filesystem via a maliciously crafted zip archive. Through this vulnerability, a threat actor can upload a payload file in the /etc/cron.d/ directory and execute arbitrary commands via the cron service.
Risk description: The risk exists that a remote unauthenticated attacker can fully compromise the server in order to steal confidential information, install ransomware or pivot to the internal network.
Recommendation: Upgrade to FortiNAC 7.2.0, 9.1.8, 9.2.6, or 9.4.1 and above.
References: https://www.fortiguard.com/psirt/FG-IR-22-300
Detectable with: Network Scanner
Vuln date: Feb 2023
Published at: Mar 2023
Updated at: Mar 2023
Software Type: Network Access Control
Vendor: Fortinet
Product: FortiNAC
Codename: Not available