CVE-2023-33299: 
FortiNAC vulnerability analysis and mitigation

A critical deserialization of untrusted data vulnerability (CVE-2023-33299) was discovered in Fortinet FortiNAC, affecting versions below 7.2.1, below 9.4.3, below 9.2.8, and all earlier versions of 8.x. The vulnerability was disclosed on June 23, 2023, and was reported by security researcher Florian Hauser from CODE WHITE under responsible disclosure (Fortinet PSIRT).

The vulnerability allows an unauthenticated attacker to execute unauthorized code or commands via specifically crafted requests to the TCP port 1050 service. The flaw is classified as CWE-502 (Deserialization of Untrusted Data) and has been assigned a Critical CVSS v3.1 score of 9.8, indicating the highest severity level (NVD, Tenable Blog).

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target device, potentially leading to complete system compromise. The vulnerability affects FortiNAC, which is a network access control solution utilized by organizations to manage network access policies and compliance, making it a critical component of network security (Arctic Wolf).

Fortinet has released patches to address this vulnerability. Organizations are advised to upgrade to the following versions: FortiNAC 9.4.3 or above for 9.4.x versions, 9.2.8 or above for 9.2.x versions, 9.1.10 or above for 9.1.x versions, and 7.2.2 or above for 7.2.x versions. Note that FortiNAC versions 8.x will not be fixed, and users should migrate to a supported version (Fortinet PSIRT).