CVE-2022-40677: 
FortiNAC vulnerability analysis and mitigation

A command argument injection vulnerability (CVE-2022-40677) was discovered in Fortinet FortiNAC affecting multiple versions including 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, 8.8.0 through 8.8.11, 8.7.0 through 8.7.6, 8.6.0 through 8.6.5, 8.5.0 through 8.5.4, and 8.3.7. The vulnerability stems from improper neutralization of argument delimiters in commands, which could allow attackers to execute unauthorized code or commands through specially crafted input parameters (MITRE CVE).

The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (High), with the following vector: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. This indicates that the vulnerability can be exploited over the network, requires low attack complexity, needs low privileges, requires no user interaction, and has high impacts on confidentiality, integrity, and availability. The vulnerability is classified as CWE-88, which relates to argument injection issues (NVD).

The successful exploitation of this vulnerability could lead to unauthorized code execution or command execution on affected systems. The high CVSS impact scores (C:H/I:H/A:H) indicate that successful exploitation could result in significant compromise of system confidentiality, integrity, and availability (NVD).

Fortinet has released security patches to address this vulnerability. Organizations using affected versions of FortiNAC should upgrade to a patched version as recommended by Fortinet (Fortiguard PSIRT).