Fortinet has shared some important clarifications following what the company described as ‘sensationalized reports’ regarding recent exploitation attempts targeting a vulnerability in its FortiNAC network access control (NAC) solution.
The vulnerability, tracked as CVE-2022-39952, can be exploited by a remote, unauthenticated attacker for arbitrary code execution. The issue was discovered internally by Fortinet.
Patches for the flaw were announced on February 16, and technical details and a proof-of-concept (PoC) exploit were made public by a cybersecurity company on February 21.
On the same day, nonprofit cybersecurity organization Shadowserver said its honeypots had started seeing exploitation attempts coming from multiple IPs. The next day, threat intelligence firm GreyNoise reported seeing ‘broad’ exploitation of CVE-2022-39952 from two IP addresses — the number of IPs seen by GreyNoise remains two as of February 24.
Chile-based security firm Cronup reported seeing ‘mass exploitation’ coming from 10 IP addresses. Some attempts were designed to identify vulnerable FortiNAC systems, while others deployed a reverse shell.
Several researchers described the vulnerability as very easy to exploit.
Fortinet published a blog post on Thursday, telling customers that CVE-2022-39952 is a critical issue that needs to be patched immediately.
However, the company pointed out that there have been some ‘sensationalized reports’ about the potential mass exploitation of 711,000 devices.
“Those reports are false,” Fortinet said. “The fact is most organizations leverage FortiNAC in air-gapped environments that are not exposed to the internet. And while Fortinet has a vast cybersecurity portfolio and has shipped over 10M units, in reality, there aren’t 711,234 devices out there that are vulnerable. This is an understandable misunderstanding because we ship more security appliances than anyone, but the reports are false.”
Several of the news articles published following the disclosure of CVE-2022-39952 have referenced a Shodan search that appears to show more than 700,000 internet-exposed Fortinet devices. However, this does not mean all of these devices are affected by CVE-2022-39952 or vulnerable to attacks.
Fortinet also pointed out that the exploitation attempts seen by the cybersecurity industry might not actually be aimed at FortiNAC devices.
“Cloud honeypot activity only shows attackers attempting to compromise some sort of device (not necessarily FortiNAC devices) with the externally provided POC code,” it clarified.
The actual impact from the exploitation of CVE-2022-39952 remains to be seen. However, it is important that FortiNAC users do not ignore the potential threat as sophisticated threat actors have been known to target Fortinet products in their attacks.
Related: Fortinet Ships Emergency Patch for Already-Exploited VPN Flaw
Related: High-Severity Command Injection Flaws Found in Fortinet’s FortiTester, FortiADC
Related: Fortinet Confirms Zero-Day Vulnerability Exploited in One Attack

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- Organizations Notified of Remotely Exploitable Vulnerabilities in Aveva HMI, SCADA Products
- Waterfall Security, TXOne Networks Launch New OT Security Appliances
- Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm
- New York Man Arrested for Running BreachForums Cybercrime Website
- Exploitation of Recent Fortinet Zero-Day Linked to Chinese Cyberspies
- Mozilla Patches High-Severity Vulnerabilities With Release of Firefox 111
- Microsoft: 17 European Nations Targeted by Russia in 2023 as Espionage Ramping Up
Latest News
- Ransomware Gang Publishes Data Allegedly Stolen From Maritime Firm Royal Dirkzwager
- Zoom Paid Out $3.9 Million in Bug Bounties in 2022
- Oleria Scores $8M Seed Funding for ID Authentication Technology
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- News Analysis: UK Commits $3 Billion to Support National Quantum Strategy
- Malicious NuGet Packages Used to Target .NET Developers
- Google Pixel Vulnerability Allows Recovery of Cropped Screenshots
- Organizations Notified of Remotely Exploitable Vulnerabilities in Aveva HMI, SCADA Products
