Deserialization Vulnerability in Fortinet FortiNAC Products
CVE-2023-33299

9.6CRITICAL

Key Information:

Vendor

Fortinet
Status
Fortinac
Vendor
CVE Published:
23 June 2023

What is CVE-2023-33299?

A deserialization vulnerability exists in Fortinet's FortiNAC product that allows an attacker to execute unauthorized code or commands. This flaw affects FortiNAC versions below 7.2.1, 9.4.3, 9.2.8, and all earlier versions of the 8.x series. Specifically crafted requests sent over inter-server communication ports can exploit this vulnerability, posing a significant threat to system security. Notably, FortiNAC version 8.x will not receive a fix for this issue.

Affected Version(s)

FortiNAC 9.4.0 <= 9.4.2

FortiNAC 9.2.0 <= 9.2.7

FortiNAC 9.1.0 <= 9.1.9

References

https://fortiguard.com/psirt/FG-IR-23-074

CVSS V3.1

Score:
9.6
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.