Connect with us

Hi, what are you looking for?



Fortinet Shares Clarifications on Exploitation of FortiNAC Vulnerability

Fortinet provides clarifications following ‘sensationalized reports’ related to exploitation attempts targeting the FortiNAC vulnerability CVE-2022-39952

Fortinet has shared some important clarifications following what the company described as ‘sensationalized reports’ regarding recent exploitation attempts targeting a vulnerability in its FortiNAC network access control (NAC) solution. 

The vulnerability, tracked as CVE-2022-39952, can be exploited by a remote, unauthenticated attacker for arbitrary code execution. The issue was discovered internally by Fortinet. 

Patches for the flaw were announced on February 16, and technical details and a proof-of-concept (PoC) exploit were made public by a cybersecurity company on February 21. 

On the same day, nonprofit cybersecurity organization Shadowserver said its honeypots had started seeing exploitation attempts coming from multiple IPs. The next day, threat intelligence firm GreyNoise reported seeing ‘broad’ exploitation of CVE-2022-39952 from two IP addresses — the number of IPs seen by GreyNoise remains two as of February 24. 

Chile-based security firm Cronup reported seeing ‘mass exploitation’ coming from 10 IP addresses. Some attempts were designed to identify vulnerable FortiNAC systems, while others deployed a reverse shell.

Several researchers described the vulnerability as very easy to exploit. 

Fortinet published a blog post on Thursday, telling customers that CVE-2022-39952 is a critical issue that needs to be patched immediately. 

Advertisement. Scroll to continue reading.

However, the company pointed out that there have been some ‘sensationalized reports’ about the potential mass exploitation of 711,000 devices. 

“Those reports are false,” Fortinet said. “The fact is most organizations leverage FortiNAC in air-gapped environments that are not exposed to the internet. And while Fortinet has a vast cybersecurity portfolio and has shipped over 10M units, in reality, there aren’t 711,234 devices out there that are vulnerable. This is an understandable misunderstanding because we ship more security appliances than anyone, but the reports are false.”

Several of the news articles published following the disclosure of CVE-2022-39952 have referenced a Shodan search that appears to show more than 700,000 internet-exposed Fortinet devices. However, this does not mean all of these devices are affected by CVE-2022-39952 or vulnerable to attacks. 

Fortinet also pointed out that the exploitation attempts seen by the cybersecurity industry might not actually be aimed at FortiNAC devices.

“Cloud honeypot activity only shows attackers attempting to compromise some sort of device (not necessarily FortiNAC devices) with the externally provided POC code,” it clarified. 

The actual impact from the exploitation of CVE-2022-39952 remains to be seen. However, it is important that FortiNAC users do not ignore the potential threat as sophisticated threat actors have been known to target Fortinet products in their attacks. 

Related: Fortinet Ships Emergency Patch for Already-Exploited VPN Flaw

Related: High-Severity Command Injection Flaws Found in Fortinet’s FortiTester, FortiADC

Related: Fortinet Confirms Zero-Day Vulnerability Exploited in One Attack

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.