- 148/2023
- Critical
Fortinet has released security updates to fix two vulnerabilities in FortiNAC affecting multiple versions.
The addressed critical vulnerability could allow the remote attacker to execute unauthorized code or commands via specifically crafted requests to the TCP/1050 service.
Sample of the addressed vulnerabilities:
FortiNAC – Java Untrusted Object Deserialization RCE (CVE-2023-33299):
- CVSS: 9.6
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Gain Access
Affected Versions:
- FortiNAC version 9.4.0 through 9.4.3.
- FortiNAC version 9.2.0 through 9.2.7.
- FortiNAC version 9.1.0 through 9.1.9.
- FortiNAC version 7.2.0 through 7.2.1.
- FortiNAC 8.8 all versions.
- FortiNAC 8.7 all versions.
- FortiNAC 8.6 all versions.
- FortiNAC 8.5 all versions.
- FortiNAC 8.3 all versions.
Vulnerabilities
- CVE-2023-33299
- CVE-2023-33300
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.