cbcvebase.
CVE-2023-33299
published 2023-06-23

CVE-2023-33299: A deserialization of untrusted data in Fortinet FortiNAC below 7.2.1, below 9.4.3, below 9.2.8 and all earlier versions of 8.x allows attacker to execute…

PriorityP274critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
24.30%
97.6th percentile
A deserialization of untrusted data in Fortinet FortiNAC below 7.2.1, below 9.4.3, below 9.2.8 and all earlier versions of 8.x allows attacker to execute unauthorized code or commands via specifically crafted request on inter-server communication port. Note FortiNAC versions 8.x will not be fixed.

Affected

16 ranges
VendorProductVersion rangeFixed in
fortinetfortinac
fortinetfortinac
fortinetfortinac
fortinetfortinac
fortinetfortinac
fortinetfortinac
fortinetfortinac
fortinetfortinac7.2.0 – 7.2.1
fortinetfortinac8.5.0 – 8.5.4
fortinetfortinac8.6.0 – 8.6.5
fortinetfortinac8.7.0 – 8.7.6
fortinetfortinac8.8.0 – 8.8.11
fortinetfortinac9.1.0 – 9.1.9
fortinetfortinac9.2.0 – 9.2.7
fortinetfortinac9.4.0 – 9.4.2
fortinetfortinet

Detection & IOCsextracted from sources · hover to see the quote

portTCP/1050
portTCP/5555
  • Monitor for unexpected or unauthenticated inbound connections to TCP port 1050 on FortiNAC appliances; this is the inter-server communication port targeted by CVE-2023-33299 deserialization exploitation.
  • Monitor for unexpected or unauthenticated inbound connections to TCP port 5555 on FortiNAC appliances; this port is targeted by the related CVE-2023-33300 command injection vulnerability.
  • The vulnerability is exploitable by a remote, unauthenticated attacker via a specially crafted deserialization payload; inspect traffic to TCP/1050 for Java/object deserialization patterns (e.g., 'ac ed 00 05' magic bytes) as an indicator of exploitation attempts.
  • ·FortiNAC versions 8.x (8.3 through 8.8, all versions) are confirmed vulnerable and will NOT receive a patch; organizations running any 8.x version must upgrade to a non-affected release.
  • ·TCP ports 1050 and 5555 are inter-server communication ports not commonly exposed to the public internet; however, internal network exposure still poses significant risk and patching remains critical.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.