InfoSecBulletin Cybersecurity for mankind
Cybersecurity solutions company Fortinet has updated its zero-trust access solution FortiNAC to address a critical-severity vulnerability that attackers could leverage to execute code and commands.
FortiNAC is a allows organizations to manage network-wide access policies, gain visibility of devices and users, and secure the network against unauthorized access and threats.
Hacker claim to breach Link3; 189,000 Users data up for sale
Check Point Hosts “Securing the Hyperconnected World in the AI Era” in Dhaka
Microsoft Confirms 900+ XSS Vulns Found in IT Services
Daily Security Update Dated : 15.09.2025
IBM QRadar SIEM Vuln Let Attackers Perform Unauthorized Actions
Major Australian Banks using Army of AI Bots to Scam Scammers
F5 to acquire CalypsoAI for $180M for Advanced AI Security Capabilities
AI Pentesting Tool ‘Villager’ Merges Kali Linux with DeepSeek AI for Automated Attacks
CVE-2025-21043
Samsung Patched Critical Zero-Day Flaw Exploited in Android Attacks
Albania appoints world’s first AI minister, “Diella” to Tackle Corruption
The security issue is tracked as CVE-2023-33299 and received a critical severity score of 9.6 out of 10. It is a deserialization of untrusted data that may lead to remote code execution (RCE) without authentication.
“A deserialization of untrusted data vulnerability [CWE-502] in FortiNAC may allow an unauthenticated user to execute unauthorized code or commands via specifically crafted requests to the TCP/1050 service” – Fortinet
The products impacted by this flaw are:
FortiNAC version 9.4.0 through 9.4.2
FortiNAC version 9.2.0 through 9.2.7
FortiNAC version 9.1.0 through 9.1.9
FortiNAC version 7.2.0 through 7.2.1
FortiNAC 8.8, all versions
FortiNAC 8.7, all versions
FortiNAC 8.6, all versions
FortiNAC 8.5, all versions
FortiNAC 8.3, all versions
The recommended versions to upgrade to in order to address the risk that arises from the vulnerability are:
FortiNAC 9.4.3 or above
FortiNAC 9.2.8 or above
FortiNAC 9.1.10 or above
FortiNAC 7.2.2 or above
The vendor has provided no mitigation advice, so the recommended action is to apply the available security updates.
ALSO READ:
Alert: Million of GitHub Repositories Likely Vulnerable to RepoJacking Attack
CVE-2023-33299 was discovered by Florian Hauser of Code White company that provides red team, penetration testing, and threat intelligence services.
Along with the critical RCE, Fortinet also annouced today that it fixed a medium-severity vulnerability tracked as CVE-2023-33300 – an improper access control issue affecting FortiNAC 9.4.0 through 9.4.3 and FortiNAC 7.2.0 through 7.2.1.
“An improper neutralization of special elements used in a command (‘command injection’) vulnerability [CWE-77] in FortiNAC TCP/5555 service may allow an unauthenticated attacker to copy local files of the device to other local directories of the device via specially crafted input fields” – Fortinet
The lower severity is given by the fact that CVE-2023-33300 can be exploited locally by an attacker with sufficiently high privileges to access the copied data.
Update without delay:
Due to the level of access and control on the network, Fortinet products are particularly attractive for hackers. For the past few years, Fortinet devices have represented a target for various threat actors, who breached organizations with zero-day exploits and by hitting unpatched devices.
A recent example is CVE-2022-39952, a critical RCE impacting FortiNAC that received a fix in mid-February but hackers started using it in attacks a few days later, after proof-of-concept code was published.
In January, Fortinet warned that threat actors had exploited a vulnerability in FortiOS SSL-VPN (CVE-2022-42475) in attacks against government organizations before a fix was available.
Last year in October, the company urged customers to patch devices against a critical authentication bypass in FortiOS, FortiProxy, and FortiSwitchManager (CVE-2022-40684) because hackers started exploiting it.
RELATED: Fortinet Warns Customers of Possible Zero-Day Exploited in Limited Attacks
