Exploit Code Released for Critical Fortinet RCE Bug

Organizations are urged to update to the latest versions of FortiNAC to patch a flaw that allows unauthenticated attackers to write arbitrary files on the system.

Researchers have released details for how to exploit a critical remote code execution (RCE) bug in Fortinets FortiNAC product, which allows an unauthenticated attacker to write arbitrary files on the system and achieve RCE as a root user.
Organizations use FortiNAC as a network access control solution to oversee and secure all digital assets connected to the enterprise network. The product can be used to manage a range of devices, including: corporate endpoints, Internet of Things (IoT), operational technology and industrial control systems (OT/ICS), and connected medical devices (IoMT), among others. The idea is to provide visibility, control, and automated response for everything that connects to the network, and as such, the device offers a golden opportunity for attackers to pivot and move deep into networks, enumerate environments, steal sensitive information, and more.
Researchers at Horizon3.ai released a blog post with
a technical analysis of and proof of concept (POC) exploit
for the vulnerability, tracked as
CVE-2022-39952,
and revealed and patched by Fortinet last week. They subsequently
released the exploit code on GitHub
.
Fortinets Gwendal Guégniaud discovered the vulnerability, which earned a critical rating of 9.8 on the CVSS vulnerability-severity scale. The bug allows attackers to take external control of a file name or path vulnerability in the FortiNAC Web server,
Fortinet said in its advisory
, thus allowing unauthenticated arbitrary writes on the system.
Fortinet has patched in its affected product versions, with customers urged to update to FortiNAC version 9.4.1 or above, FortiNAC version 9.2.6 or above, FortiNAC version 9.1.8, or FortiNAC version 7.2.0 or above.
The vendor has released a
communication to customers
, strongly urging them to immediately patch the critical flaw.
While there are several ways for attackers to obtain RCE by exploiting arbitrary file write flaws, the researchers wrote whats called a cron job to /etc/cron.d/ to take advantage of the vulnerability, they said.
The researchers extracted filesystems from both the vulnerable and patched versions of the product to examine the flaw, finding that Fortinet removed an offending file called /bsc/campusMgr/ui/ROOT/configWizard/keyUpload.jsp in the update that patches the bug. It turns out that file allowed an unauthenticated endpoint to parse requests that supply a file in the key parameter and then write it to /bsc/campusMgr/config.applianceKey, the researchers said.
To exploit this flaw, researchers successfully wrote the file and made a call that executes a bash script, which in turn can unzip the file that was just written. The unzip process will allow placing files in any paths as long as they do not traverse above the current working directory, Horizon3.ais chief attack engineer Zach Hanley wrote in the blog post. Because the working directory is /, the call unzip inside the bash script allows any arbitrary file to be written.
Immediately, seeing this call on the attacker-controlled file gave us flashbacks to a few recent vulnerabilities we’ve looked at that have abused archive unpacking, he added.
Researchers used the aforementioned cron job — which entails using the code /etc/cron.d/payload — to weaponize the flaw. The job gets triggered every minute and initiates a reverse shell to the attacker. To do this, researchers created a zip archive that contains a file and specifies the path for extraction, and then sent the malicious zip file to the vulnerable endpoint in the key field, they said.
Within a minute, we get a reverse shell as the root user, which then can allow for remote code to be executed, Hanley wrote.
Historically, attackers have had a tendency to pounce on
Fortinet flaws
— sometimes even before the company knows they exist. Since they offer a prime opportunity to gain a foothold on enterprise networks, it would be prudent for any organizations running affected versions of FortiNAC to update to the patched products ASAP. So far, neither Fortinet nor Horizon3.ai are aware of any instances of attackers taking advantage of the flaw, but now that the latters proof of concept is released, with step-by-step details on how it can be exploited, this is likely to change.
As recently as January, the researchers tied a sophisticated
new backdoor dubbed BoldMove
to a zero-day vulnerability that Fortinet discovered in multiple versions of its FortiOS and FortiProxy technologies in December. The flaw allowed an unauthenticated attacker to execute arbitrary code on affected systems. In the zero-day attack, a China-based threat actor engaged in cyber-espionage operations apparently had written the malware to run specifically on Fortinets FortiGate firewalls even before the vulnerability was made public and patched, the researchers discovered.
In October, attackers also
showed significant interest
in a critical authentication bypass vulnerability in multiple versions of Fortinets FortiOS, FortiProxy, and FortiSwitchManager technologies, particularly after exploit code for the flaw was released.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Exploit Code Released for Critical Fortinet RCE Bug