cbcvebase.
CVE-2022-39952
published 2023-02-16

CVE-2022-39952: A external control of file name or path in Fortinet FortiNAC versions 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, 8.8.0 through 8.8.11, 8.7.0 through…

PriorityP194critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
99.81%
100.0th percentile
A external control of file name or path in Fortinet FortiNAC versions 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, 8.8.0 through 8.8.11, 8.7.0 through 8.7.6, 8.6.0 through 8.6.5, 8.5.0 through 8.5.4, 8.3.7 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP request.

Affected

14 ranges
VendorProductVersion rangeFixed in
fortinetfortinac
fortinetfortinac
fortinetfortinac
fortinetfortinac8.3.7 – 8.8.9
fortinetfortinac8.5.0 – 8.5.4
fortinetfortinac8.6.0 – 8.6.5
fortinetfortinac8.7.0 – 8.7.6
fortinetfortinac8.8.0 – 8.8.11
fortinetfortinac>= 9.1.0 < 9.1.89.1.8
fortinetfortinac9.1.0 – 9.1.7
fortinetfortinac>= 9.2.0 < 9.2.69.2.6
fortinetfortinac9.2.0 – 9.2.5
fortinetfortinac>= 9.4.0 < 9.4.19.4.1
fortinetfortinet

Detection & IOCsextracted from sources · hover to see the quote

  • Honeypot and threat intelligence data confirmed active exploitation attempts against CVE-2022-39952 from multiple IPs starting February 21, 2023, shortly after a public PoC was released.
  • ·The vulnerable endpoint /configWizard/keyUpload.jsp requires no authentication, meaning exploitation is possible from any network-reachable attacker without credentials.
  • ·Fortinet notes that most FortiNAC deployments are in air-gapped environments not exposed to the internet, which limits the realistic attack surface despite high theoretical exposure counts.
  • ·A working public PoC was released shortly after the February 16, 2023 advisory, accelerating exploitation risk for unpatched systems.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.