Hackers now exploit critical Fortinet bug to backdoor servers

Threat actors are targeting Internet-exposed Fortinet appliances with exploits targeting CVE-2022-39952, an unauthenticated file path manipulation vulnerability in the FortiNAC webserver that can be abused for remote command execution.

These attacks come one day after Horizon3 security researchers released proof-of-concept exploit code for the critical-severity flaw that will add a cron job to initiate a reverse shell on compromised systems as the root user.

Fortinet disclosed the vulnerability in a security advisory on Thursday, saying the bug affects multiple versions of its FortiNAC network access control solution and allows attackers to execute unauthorized code or commands following successful exploitation.

The company has released security updates and urged customers to upgrade vulnerable appliances to the latest available versions which address the vulnerability.

Since Fortinet has not provided mitigation guidance or workarounds, updating is the only way to thwart attack attempts.

Attackers have already begun targeting unpatched FortiNAC appliances with CVE-2022-39952 exploits, as first discovered by security researchers at the Shadowserver Foundation on Tuesday.

"We are seeing Fortinet FortiNAC CVE-2022-39952 exploitation attempts from multiple IPs in our honeypot sensors," Shadowserver's Piotr Kijewski said.

Their findings were confirmed by researchers at cybersecurity companies GreyNoise and CronUp on Wednesday after seeing CVE-2022-39952 attacks from multiple IP addresses.

CronUp security researcher Germán Fernández revealed in a report that they're "observing massive exploitation of Fortinet FortiNAC devices via the CVE-2022-39952 vulnerability."

"This vulnerability is critical and key in the Cybersecurity ecosystem, since in the first instance, it could allow initial access to the corporate network," Fernández said.

Malicious activity observed while analyzing these ongoing attacks matches Horizon3's PoC exploit capabilities, with CronUp seeing threat actors using corn jobs to open reverse shells to attackers' IP addresses.

​In December, Fortinet warned customers to patch FortiOS SSL-VPN appliances against an actively exploited security bug (CVE-2022-42475) that enables unauthenticated remote code execution on vulnerable devices.

As the company later revealed, the flaw was also exploited as a zero-day in attacks against government organizations and government-related targets.

Two months earlier, the company also urged admins to urgently patch a critical FortiOS, FortiProxy, and FortiSwitchManager authentication bypass vulnerability (CVE-2022-40684) exploited in the wild.

Update February 23, 12:45 EST: According to CronUp, attackers have now started to also install fortii.jsp and shell.jsp web shells in the bsc/campusMgr/ui/ROOT/ folder on compromised FortiNAC devices.