Fortinet released updates to patch vulnerabilities in its FortiNAC network access control solution. The company described CVE-2023-33299 as a Java untrusted object deserialization that could allow unauthorized users to execute code or commands. The flaw is 9.6 out of 10 on the CVSS vulnerability matrix.
The security flaw impacts all versions of FortiNAC 8.3, 8.5, 8.6, 8.7, and 8.8. The vulnerability also affects FortiNAC versions 7.2.0 through 7.2.1, 9.1.0 through 9.1.9, 9.2.0 through 9.2.7, and 9.4.0 through 9.4.2. The announcement follows another bug in FortiProxy and FortiOS (CVE-2023-27997), which was exploited to attack government, manufacturing, and critical infrastructure targets earlier this month. FortiNAC also suffered a similar arbitrary code execution vulnerability in February 2023 (CVE-2023-39952). Hackers exploited this bug after a proof-of-concept was published online.
Read More:
https://thehackernews.com/2023/06/new-fortinets-fortinac-vulnerability.html