Security Experts:

Connect with us

Hi, what are you looking for?



Fortinet Shares Clarifications on Exploitation of FortiNAC Vulnerability

Fortinet provides clarifications following ‘sensationalized reports’ related to exploitation attempts targeting the FortiNAC vulnerability CVE-2022-39952

Fortinet has shared some important clarifications following what the company described as ‘sensationalized reports’ regarding recent exploitation attempts targeting a vulnerability in its FortiNAC network access control (NAC) solution. 

The vulnerability, tracked as CVE-2022-39952, can be exploited by a remote, unauthenticated attacker for arbitrary code execution. The issue was discovered internally by Fortinet. 

Patches for the flaw were announced on February 16, and technical details and a proof-of-concept (PoC) exploit were made public by a cybersecurity company on February 21. 

On the same day, nonprofit cybersecurity organization Shadowserver said its honeypots had started seeing exploitation attempts coming from multiple IPs. The next day, threat intelligence firm GreyNoise reported seeing ‘broad’ exploitation of CVE-2022-39952 from two IP addresses — the number of IPs seen by GreyNoise remains two as of February 24. 

Chile-based security firm Cronup reported seeing ‘mass exploitation’ coming from 10 IP addresses. Some attempts were designed to identify vulnerable FortiNAC systems, while others deployed a reverse shell.

Several researchers described the vulnerability as very easy to exploit. 

Fortinet published a blog post on Thursday, telling customers that CVE-2022-39952 is a critical issue that needs to be patched immediately. 

However, the company pointed out that there have been some ‘sensationalized reports’ about the potential mass exploitation of 711,000 devices. 

“Those reports are false,” Fortinet said. “The fact is most organizations leverage FortiNAC in air-gapped environments that are not exposed to the internet. And while Fortinet has a vast cybersecurity portfolio and has shipped over 10M units, in reality, there aren’t 711,234 devices out there that are vulnerable. This is an understandable misunderstanding because we ship more security appliances than anyone, but the reports are false.”

Several of the news articles published following the disclosure of CVE-2022-39952 have referenced a Shodan search that appears to show more than 700,000 internet-exposed Fortinet devices. However, this does not mean all of these devices are affected by CVE-2022-39952 or vulnerable to attacks. 

Fortinet also pointed out that the exploitation attempts seen by the cybersecurity industry might not actually be aimed at FortiNAC devices.

“Cloud honeypot activity only shows attackers attempting to compromise some sort of device (not necessarily FortiNAC devices) with the externally provided POC code,” it clarified. 

The actual impact from the exploitation of CVE-2022-39952 remains to be seen. However, it is important that FortiNAC users do not ignore the potential threat as sophisticated threat actors have been known to target Fortinet products in their attacks. 

Related: Fortinet Ships Emergency Patch for Already-Exploited VPN Flaw

Related: High-Severity Command Injection Flaws Found in Fortinet’s FortiTester, FortiADC

Related: Fortinet Confirms Zero-Day Vulnerability Exploited in One Attack

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet