CVE-2022-39953: 
FortiNAC vulnerability analysis and mitigation

An improper privilege management vulnerability (CVE-2022-39953) was discovered in Fortinet FortiNAC, affecting multiple versions including 9.4.0-9.4.1, 9.2.0-9.2.6, 9.1.0-9.1.8, and all versions of 8.8, 8.7, 8.6, 8.5, and 8.3.7. The vulnerability was internally discovered by Gwendal Guégniaud of Fortinet Product Security team and was publicly disclosed on March 7, 2023 (Fortinet Advisory).

The vulnerability is classified as an improper privilege management issue (CWE-269) that could allow a low-privilege local user with shell access to execute arbitrary commands as root through specially crafted commands. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High), with the following vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The successful exploitation of this vulnerability allows attackers to escalate their privileges to root level, potentially gaining complete control over the affected FortiNAC system. This could lead to unauthorized access to sensitive information, system modification, and full system compromise (Fortinet Advisory).

Fortinet has released patches to address this vulnerability. Users are advised to upgrade to FortiNAC version 9.4.2 or above, version 9.2.7 or above, version 9.1.9 or above, or version 7.2.0 or above, depending on their current version (Fortinet Advisory).