Critical FortiNAC RCE Vulnerability Fixed by Fortinet: Install Updates Immediately

June 23, 2023

Fortinet has recently fixed a critical remote code execution (RCE) vulnerability in its network access control (NAC) solution, FortiNAC. The company designed FortiNAC to help organizations secure and control access to their networks by enforcing security policies, monitoring devices, and managing access privileges. This solution assists organizations in protecting their network infrastructure by offering visibility and control over devices connected to the network, such as laptops, smartphones, IoT devices, and other endpoints. Network administrators can use FortiNAC to define and enforce security policies, authenticate and authorize devices, and monitor network activity.

Fortinet has released security updates to address the critical vulnerability, identified as CVE-2023-33299 (with a CVSS score of 9.6/10). This vulnerability can be exploited by an unauthenticated attacker to execute arbitrary code and commands on vulnerable devices. The advisory states, “A deserialization of untrusted data vulnerability [CWE-502] in FortiNAC may allow an unauthenticated user to execute unauthorized code or commands via specifically crafted requests to the tcp/1050 service.” Florian Hauser from CODE WHITE reported the vulnerability to the company.

The following FortiNAC versions are affected by this vulnerability: 9.4.0 through 9.4.2, 9.2.0 through 9.2.7, 9.1.0 through 9.1.9, 7.2.0 through 7.2.1, and all versions of 8.8, 8.7, 8.6, 8.5, and 8.3. Fortinet has released updates to address the issue, and customers are advised to upgrade to the following versions: FortiNAC 9.4.3 or above, FortiNAC 9.2.8 or above, FortiNAC 9.1.10 or above, and FortiNAC 7.2.2 or above. Due to the severity of the issue, customers are strongly recommended to install these updates immediately.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.