DIVD-2023-00011 - FortiNAC and FortiWeb RCE Vulnerability
| Our reference | DIVD-2023-00011 |
| Case lead | Victor Pasman |
| Author | Max van der Horst |
| Researcher(s) | |
| CVE(s) | |
| Product | FortiNAC and FortiWeb |
| Versions |
|
| Recommendation | For FortiNAC, upgrade to 9.4.1 and later, 9.2.6 and later, 9.1.8 and later and 7.2.0 and later. For FortiWeb, upgrade to 7.0 or later, 6.3.17 or later, 6.2.7 or later, 6.1.3 or later and 6.0.8 or later. |
| Status | Closed |
| Last modified | 20 Apr 2024 17:40 CEST |
Summary
Fortinet has released security updates for both FortiNAC and FortiWeb, addressing two critical vulnerabilities that allow an unauthenticated threat actor to execute arbitrary code. These vulnerabilities may result in complete compromise of your system and/or appliances.
What you can do
Upgrade your FortiNAC and/or FortiWeb instances to one of the mentioned patched versions as soon as possible. This means for FortiNAC that you should upgrade to 9.4.1 and later, 9.2.6 and later, 9.1.8 and later and 7.2.0 and later. For FortiWeb, upgrade to 7.0 or later, 6.3.17 or later, 6.2.7 or later, 6.1.3 or later and 6.0.8 or later.
What we are doing
DIVD is currently scanning to identify vulnerable systems. If you receive a notification, your system has been confirmed to be vulnerable and patching is advised.
Timeline
| Date | Description |
|---|---|
| 19 Feb 2023 | DIVD starts researching these vulnerabilities. |
| 21 Feb 2023 | First version of this casefile. |
| 23 Feb 2023 | DIVD starts researching fingerprint. |
| 23 Mar 2023 | Fingerprint found. |
| 20 Dec 2023 | Case closed. |