CVE-2023-33299

CWE-502Deserialization of Untrusted Data5 documents5 sources
Severity
9.8CRITICAL
EPSS
10.8%
top 6.64%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Fortinet Fortinac
Timeline
PublishedJun 23

Description

A deserialization of untrusted data in Fortinet FortiNAC below 7.2.1, below 9.4.3, below 9.2.8 and all earlier versions of 8.x allows attacker to execute unauthorized code or commands via specifically crafted request on inter-server communication port. Note FortiNAC versions 8.x will not be fixed.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

CVEListV5fortinet/fortinac9.4.09.4.2+8
NVDfortinet/fortinac8.5.08.5.4+11

🔴Vulnerability Details

2
GHSA
GHSA-2j65-72jp-x2mj: A deserialization of untrusted data in Fortinet FortiNAC below 72023-06-23
CVEList
CVE-2023-33299: A deserialization of untrusted data in Fortinet FortiNAC below 72023-06-23

📋Vendor Advisories

1
Fortinet
A deserialization of untrusted data in Fortinet FortiNAC below 7.2.1, below 9.4.3, below 9.2.8 and all earlier versions...2023-06-23

🕵️Threat Intelligence

1
Tenable
CVE-2023-33299: Critical Remote Code Execution Vulnerability in FortiNAC2023-06-23
CVE-2023-33299 (CRITICAL CVSS 9.8) | A deserialization of untrusted data | cvebase.io