www.belgium.be Logo of the federal government

Warning: FortiNAC - java untrusted object deserialization RCE, Patch Immediately!

Advisory #2023-77
Affected software: 
FortiNAC version 9.4.0 through 9.4.2
FortiNAC version 9.2.0 through 9.2.7
FortiNAC version 9.1.0 through 9.1.9
FortiNAC version 7.2.0 through 7.2.1
FortiNAC 8.8 all versions
FortiNAC 8.7 all versions
FortiNAC 8.6 all versions
FortiNAC 8.5 all versions
FortiNAC 8.3 all versions
Remote Code Execution (CWE-502)

CVE-2023-33299:CVSS 9.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)




Fortinet is advising its customers on a critical severity vulnerability in its product FortiNAC.

Successful exploitation of CVE-2023-33299 could allow an unauthenticated remote user to execute unauthorized code or commands. This is accomplished by sending specifically crafted requests to the tcp/1050 service.

The attack does not require any user interaction and can be executed remotely. The impact to confidentiality, integrity and availability is high.


On the 23rd of June Fortinet released a PSIRT advisory detailing a critical vulnerability in their FortiNAC product.
The vulnerability is a java untrusted object deserialization Remote Code Execution (RCE)  vulnerability. This is weakness where the product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

Affected products:

•    FortiNAC version 9.4.0 through 9.4.2
•    FortiNAC version 9.2.0 through 9.2.7
•    FortiNAC version 9.1.0 through 9.1.9
•    FortiNAC version 7.2.0 through 7.2.1
•    FortiNAC 8.8 all versions
•    FortiNAC 8.7 all versions
•    FortiNAC 8.6 all versions
•    FortiNAC 8.5 all versions
•    FortiNAC 8.3 all versions

Recommended Actions


•    Upgrade to FortiNAC version 9.4.3 or above
•    Upgrade to FortiNAC version 9.2.8 or above
•    Upgrade to FortiNAC version 9.1.10 or above
•    Upgrade to FortiNAC version 7.2.2 or above
•    FortiNAC 8.x. will not be fixed.

Mitigate/ workaround

No specific mitigations or workaround provided by Fortinet.

The Centre for Cyber security Belgium recommends system administrators to patch vulnerable systems as soon as possible and analyse system and network logs for any suspicious activity. This report has instructions to help your organization. In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
The CCB recommends organizations to upscale monitoring and detection capabilities and to detect any related suspicious activity, ensuring a fast response in case of an intrusion.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

When applying patches to systems that have been vulnerable to an authentication bypass, a proactive threat assessment should be performed to verify the device was not accessed from an unknown IP or location.