Fortinet releases patches for a critical FortiNAC vulnerability leading to remote code execution without authentication.

Tracked as CVE-2023-33299, the critical flaw is described as an issue related to deserialization of untrusted data that can lead to remote code execution (RCE).

An unauthenticated attacker could exploit this vulnerability “to execute unauthorized code or commands via specifically crafted requests to the TCP/1050 service”, Fortinet explains.

The vulnerability impacts FortiNAC versions up to 7.2.1, up to 9.4.2, up to 9.2.7, and up to 9.1.9, as well as all 8.x iterations.

Fortinet has addressed the security defect with the release of FortiNAC versions 9.4.3, 9.2.8, 9.1.10, and 7.2.2, but will not release patches for FortiNAC 8.x.

Also resolved by Fortinet is a medium-severity vulnerability tracked as CVE-2023-33300, an improper access control issue affecting FortiNAC 9.4.0 through 9.4.3 and FortiNAC 7.2.0 through 7.2.1. It has been fixed in FortiNAC versions 7.2.2 and 9.4.4.

The alert follows the active exploitation of another critical vulnerability affecting FortiOS and FortiProxy (CVE-2023-27997) that could allow a remote attacker to execute arbitrary code or commands via specifically crafted requests.

Fortinet, earlier this month, acknowledged that the issue may have been abused in limited attacks targeting government, manufacturing, and critical infrastructure sectors, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add it to the Known Exploited Vulnerabilities (KEV) catalog.