Experts have found that a fresh vulnerability in Fortinet FortiNAC, closed earlier this month, is already being used in hacker attacks. Experts said that more than 700,000 devices are vulnerable to the problem, but Fortinet developers assure that everything is not so scary.
Let me remind you that last week, researchers published a PoC exploit for a critical vulnerability (CVE-2022-39952) in Fortinet FortiNAC. This issue is related to external filenames and path control in FortiNAC. It is rated 9.8 out of 10 on the CVSS scale and allows an unauthenticated attacker to write arbitrary files to the system, and can also lead to the execution of arbitrary code.Let me remind you that we also wrote that Fortinet Informs Customers about a Critical Vulnerability.
GreyNoise and CronUp experts reported that the vulnerability was exploited in attacks. According to them, the exploitation was widespread and was used to open reverse shells, as well as create fortii.jsp and shell.jsp web shells in the bsc/campusMgr/ui/ROOT/ folder on compromised devices.
The researchers emphasized that “the vulnerability is critical and key to the cybersecurity ecosystem, as it primarily allows initial access to corporate networks.”
Fortinet ended up publishing a blog post informing customers that CVE-2022-39952 is a critical issue that really needs to be fixed immediately.
At the same time, many reports and articles published after the disclosure of data on CVE-2022-39952 mentioned a search in Shodan, which showed more than 700,000 Fortinet devices connected to the Internet. However, this does not mean that all these devices are vulnerable to CVE-2022-39952 and attacks. Fortinet emphasizes that some of the “sensational reports” of experts about the potential operation of 711,000 devices are not true.
Information security specialists also wrote about an exploit for Fortinet products which affects FortiGate firewalls, FortiProxy web proxy, and FortiSwitch Manager.