CVE-2022-39954: 
FortiNAC vulnerability analysis and mitigation

An XML external entity (XXE) injection vulnerability identified as CVE-2022-39954 was discovered in multiple versions of Fortinet FortiNAC. The affected versions include FortiNAC 9.4.0 through 9.4.1, 9.2.0 through 9.2.7, 9.1.0 through 9.1.8, 8.8.0 through 8.8.11, 8.7.0 through 8.7.6, 8.6.0 through 8.6.5, 8.5.0 through 8.5.4, and version 8.3.7. The vulnerability was disclosed on February 16, 2023 (Fortinet Advisory).

The vulnerability stems from an improper restriction of XML external entity reference in FortiNAC. It has been assigned a CVSS v3.1 base score of 9.1 CRITICAL by NIST (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H), while Fortinet assessed it with a score of 7.3 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). The vulnerability is classified under CWE-611 (Improper Restriction of XML External Entity Reference) (NVD).

The vulnerability allows an attacker to read arbitrary files or trigger a denial of service through specifically crafted XML documents. The impact assessment indicates high potential for both confidentiality breach and availability disruption (NVD).

Fortinet has addressed this vulnerability by releasing updated versions of FortiNAC. Users are advised to upgrade to the latest version of their respective FortiNAC installations (Fortinet Advisory).