Threat actors are trying to exploit a critical flaw in Fortinet's FortiNAC web server, five days after it was publicly disclosed.
Fortinet issued a security advisory last week detailing the vulnerability, tracked as CVE-2022-39952, which was discovered internally by Gwendal Guégniaud of Fortinet's product security team. The vulnerability affects a wide range of FortiNAC versions and received a CVSS score of 9.8 out of 10.
Now, a proof of concept (POC) exploit is available, and exploitation attempts have been observed in the wild. If successful, an unauthenticated attacker could execute unauthorized code or commands on vulnerable FortiNAC web servers. Exploitation requires no user interaction or privileges.
FortiNAC is Fortinet's zero-trust access product designed for enterprises to secure a variety of devices, including IT systems, IoT devices, operational technology and industrial control systems. Fortinet advised upgrading to the latest version.
Exploitation follows POC
Penetration testing vendor Horizon3.ai released an automated POC exploit through GitHub Tuesday, along with a blog post by Zach Hanley, chief attack engineer at Horizon3.ai. In addition to a deep-dive analysis with indicators of compromise (IOC), Hanley warned that an unauthenticated attacker could "write arbitrary files on the system and as a result obtain remote code execution in the context of the root user."
He noted several ways attackers could gain remote code execution. Most significantly, attackers could access SSH keys, which allows administrative access.
"In this case, we write a cron job to /etc/cron.d/, but attackers could also overwrite and binary on the system that is regularly executed or SSH keys to a user profile," Hanley wrote in the blog post.
Under IOCs, he recommended that users check logs for the line "Running configApplianceXml." To weaponize the flaw, Hanley noted that it only took a minute to get a reverse shell as the root user after sending a malicious zip file.
Hanley told TechTarget Editorial that the FortiNAC vulnerability is easy to exploit.
"It's a very trivial vulnerability due to it being an abuse of logic," he said.
Hours after Horizon3.ai released the POC, the Shadowserver Foundation, a cybersecurity nonprofit, started to observe threat activity.
"We are seeing @Fortinet FortiNAC CVE-2022-39952 exploitation attempts from multiple IPs in our honeypot sensors," Shadowserver wrote on Twitter. "A PoC was published earlier today. Make sure to upgrade your FortiNAC."
We are seeing @Fortinet FortiNAC CVE-2022-39952 exploitation attempts from multiple IPs in our honeypot sensors. A PoC was published earlier today. Make sure to upgrade your FortiNAC as specified in: https://t.co/edZEG2VOzL— Shadowserver (@Shadowserver) February 21, 2023
Coalition, Inc., also observed an increase in exploitation activity, as well as a rise in scanning for vulnerable instances, following the publicly available PoC. Tiago Henriques, vice president of security research at Coalition, told TechTarget Editorial there was a massive spike immediately after it was released. Since deploying its honeypots on Tuesday, the cybersecurity vendor logged 327 events.
The FortiNAC flaw is the latest Fortinet vulnerability to garner attention from threat actors. Attacks against Fortinet VPNs have been on the rise as threat actors take advantage of unpatched vulnerabilities to gain access. Earlier this month, threat actors targeted high-profile organizations by leveraging a critical Fortinet VPN flaw that was publicly disclosed in December.
Arielle Waldman is a Boston-based reporter covering enterprise security news.