Fortinet Shares Clarifications on Exploitation of FortiNAC Vulnerability

Fortinet has shared some important clarifications following what the company described as ‘sensationalized reports’ regarding recent exploitation attempts targeting a vulnerability in its FortiNAC network access control (NAC) solution. 

The vulnerability, tracked as CVE-2022-39952, can be exploited by a remote, unauthenticated attacker for arbitrary code execution. The issue was discovered internally by Fortinet. 

Patches for the flaw were announced on February 16, and technical details and a proof-of-concept (PoC) exploit were made public by a cybersecurity company on February 21. 

On the same day, nonprofit cybersecurity organization Shadowserver said its honeypots had started seeing exploitation attempts coming from multiple IPs. The next day, threat intelligence firm GreyNoise reported seeing ‘broad’ exploitation of CVE-2022-39952 from two IP addresses — the number of IPs seen by GreyNoise remains two as of February 24. 

Chile-based security firm Cronup reported seeing ‘mass exploitation’ coming from 10 IP addresses. Some attempts were designed to identify vulnerable FortiNAC systems, while others deployed a reverse shell.

Several researchers described the vulnerability as very easy to exploit. 

Fortinet published a blog post on Thursday, telling customers that CVE-2022-39952 is a critical issue that needs to be patched immediately. 

However, the company pointed out that there have been some ‘sensationalized reports’ about the potential mass exploitation of 711,000 devices. 

“Those reports are false,” Fortinet said. “The fact is most organizations leverage FortiNAC in air-gapped environments that are not exposed to the internet. And while Fortinet has a vast cybersecurity portfolio and has shipped over 10M units, in reality, there aren’t 711,234 devices out there that are vulnerable. This is an understandable misunderstanding because we ship more security appliances than anyone, but the reports are false.”

Several of the news articles published following the disclosure of CVE-2022-39952 have referenced a Shodan search that appears to show more than 700,000 internet-exposed Fortinet devices. However, this does not mean all of these devices are affected by CVE-2022-39952 or vulnerable to attacks. 

Fortinet also pointed out that the exploitation attempts seen by the cybersecurity industry might not actually be aimed at FortiNAC devices.

“Cloud honeypot activity only shows attackers attempting to compromise some sort of device (not necessarily FortiNAC devices) with the externally provided POC code,” it clarified. 

The actual impact from the exploitation of CVE-2022-39952 remains to be seen. However, it is important that FortiNAC users do not ignore the potential threat as sophisticated threat actors have been known to target Fortinet products in their attacks. 

Related: Fortinet Ships Emergency Patch for Already-Exploited VPN Flaw

Related: High-Severity Command Injection Flaws Found in Fortinet’s FortiTester, FortiADC

Related: Fortinet Confirms Zero-Day Vulnerability Exploited in One Attack