Skip to the content.

DIVD-2023-00011 - FortiNAC and FortiWeb RCE Vulnerability

Our reference DIVD-2023-00011
Case lead Victor Pasman
Author Max van der Horst
Researcher(s)
CVE(s)
Product FortiNAC and FortiWeb
Versions
  • FortiNAC 9.4.0
  • FortiNAC 9.2.0 through 9.2.5
  • FortiNAC 9.1.0 through 9.1.7
  • FortiNAC 8.3 through 8.8
  • FortiWeb 5
  • FortiWeb 6.0.7
  • FortiWeb 6.1.2
  • FortiWeb 6.2.6
  • FortiWeb 6.3.16
  • FortiWeb 6.4
Recommendation For FortiNAC, upgrade to 9.4.1 and later, 9.2.6 and later, 9.1.8 and later and 7.2.0 and later. For FortiWeb, upgrade to 7.0 or later, 6.3.17 or later, 6.2.7 or later, 6.1.3 or later and 6.0.8 or later.
Status Closed
Last modified 20 Apr 2024 17:40 CEST

Summary

Fortinet has released security updates for both FortiNAC and FortiWeb, addressing two critical vulnerabilities that allow an unauthenticated threat actor to execute arbitrary code. These vulnerabilities may result in complete compromise of your system and/or appliances.

What you can do

Upgrade your FortiNAC and/or FortiWeb instances to one of the mentioned patched versions as soon as possible. This means for FortiNAC that you should upgrade to 9.4.1 and later, 9.2.6 and later, 9.1.8 and later and 7.2.0 and later. For FortiWeb, upgrade to 7.0 or later, 6.3.17 or later, 6.2.7 or later, 6.1.3 or later and 6.0.8 or later.

What we are doing

DIVD is currently scanning to identify vulnerable systems. If you receive a notification, your system has been confirmed to be vulnerable and patching is advised.

Timeline

Date Description
19 Feb 2023 DIVD starts researching these vulnerabilities.
21 Feb 2023 First version of this casefile.
23 Feb 2023 DIVD starts researching fingerprint.
23 Mar 2023 Fingerprint found.
20 Dec 2023 Case closed.
gantt title DIVD-2023-00011 - FortiNAC and FortiWeb RCE Vulnerability dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2023-00011 - FortiNAC and FortiWeb RCE Vulnerability (320 days) :2023-02-03, 2023-12-20 section Events DIVD starts researching these vulnerabilities. : milestone, 2023-02-19, 0d First version of this casefile. : milestone, 2023-02-21, 0d DIVD starts researching fingerprint. : milestone, 2023-02-23, 0d Fingerprint found. : milestone, 2023-03-23, 0d Case closed. : milestone, 2023-12-20, 0d

More information