CVE-2022-45860: 
FortiNAC vulnerability analysis and mitigation

A weak authentication vulnerability (CWE-1390) was discovered in FortiNAC's device registration page. The vulnerability affects FortiNAC-F version 7.2.0, FortiNAC version 9.4.2 and below, 9.2 all versions, 9.1 all versions, 8.8 all versions, and 8.7 all versions. The issue was initially published on May 3, 2023 (Fortinet Advisory).

The vulnerability is classified as a weak authentication mechanism in the device registration page that could potentially be exploited by unauthenticated attackers. It has been assigned a CVSS v3.1 base score of 7.5 (HIGH) by NIST and 5.3 (MEDIUM) by Fortinet. The vulnerability is tracked as CVE-2022-45860 and is categorized under CWE-1390 (Weak Authentication) and CWE-287 (Improper Authentication) (NVD).

The vulnerability allows an unauthenticated attacker to perform password spraying attacks with an increased chance of success, potentially leading to unauthorized access to the system. The impact primarily affects the confidentiality of the system, as indicated by the CVSS metrics (Fortinet Advisory).

Fortinet has released patches to address this vulnerability. Users are advised to upgrade to FortiNAC version 9.4.3 or above, or FortiNAC-F version 7.2.1 or above. It is recommended to change passwords after the upgrade (Fortinet Advisory).

The vulnerability was responsibly disclosed by KPN to Fortinet, demonstrating effective collaboration between security researchers and vendors (Fortinet Advisory).