CVE-2022-39952

Name of the Vulnerable Software and Affected Versions FortiNAC versions 8.3.7, 8.5.0 through 8.5.4, 8.6.0 through 8.6.5, 8.7.0 through 8.7.6, 8.8.0 through 8.8.11, 9.1.0 through 9.1.7, 9.2.0 through 9.2.5, 9.4.0

Description The issue is related to incorrect external control of file name or path in the keyUpload component of Fortinet FortiNAC. This can be exploited by an unauthenticated attacker to execute unauthorized code or commands via a specifically crafted HTTP request. The vulnerability allows an attacker to write arbitrary files to the system, resulting in remote code execution from the root.

Recommendations For FortiNAC versions 8.3.7, 8.5.0 through 8.5.4, 8.6.0 through 8.6.5, 8.7.0 through 8.7.6, 8.8.0 through 8.8.11, 9.1.0 through 9.1.7, 9.2.0 through 9.2.5, 9.4.0: At the moment, there is no information about a newer version that contains a fix for this vulnerability.