CVE-2022-39952

CRITICAL EXPLOITED IN THE WILD NUCLEI

Fortinet FortiNAC keyUpload.jsp arbitrary file write

Title source: metasploit
STIX 2.1

Exploitation Summary

CVE-2022-39952 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 6 public exploits from researchers including horizon3ai, Chocapikk, shiyeshu, including a Metasploit module exploits/linux/http/fortinac_keyupload_file_write. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2022-39952, which abuses an arbitrary file write vulnerability in Fortinet FortiNAC via the keyUpload.jsp endpoint. The exploit uploads a malicious cron job to achieve remote code execution.

Description

A external control of file name or path in Fortinet FortiNAC versions 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, 8.8.0 through 8.8.11, 8.7.0 through 8.7.6, 8.6.0 through 8.6.5, 8.5.0 through 8.5.4, 8.3.7 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP request.

Exploits (6)

nomisec WORKING POC 266 stars
by horizon3ai · remote
https://github.com/horizon3ai/CVE-2022-39952

This repository contains a functional exploit for CVE-2022-39952, which abuses an arbitrary file write vulnerability in Fortinet FortiNAC via the keyUpload.jsp endpoint. The exploit uploads a malicious cron job to achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Fortinet FortiNAC
No auth needed
Prerequisites: Network access to the target's keyUpload.jsp endpoint on port 8443 · A payload file to be written as a cron job
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC 3 stars
by Chocapikk · remote
https://github.com/Chocapikk/CVE-2022-39952

This repository contains a functional exploit for CVE-2022-39952, a command injection vulnerability in Fortinet FortiNAC. The exploit allows arbitrary command execution via a malicious file upload, supporting both reverse shell and webshell payloads.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Fortinet FortiNAC
No auth needed
Prerequisites: Network access to the target FortiNAC server · Python 3.x with requests module
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC 2 stars
by shiyeshu · remote
https://github.com/shiyeshu/CVE-2022-39952_webshell

This repository contains a functional exploit for CVE-2022-39952, which allows an attacker to upload a malicious ZIP file containing a JSP webshell to a vulnerable Fortinet FortiNAC server. The exploit leverages an unauthenticated file upload vulnerability in the `/configWizard/keyUpload.jsp` endpoint.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Fortinet FortiNAC (versions affected by CVE-2022-39952)
No auth needed
Prerequisites: Network access to the target's HTTPS interface (port 8443) · A JSP webshell file to include in the payload ZIP
devstral-2 · analyzed Feb 19, 2026 Full analysis →
gitlab SCANNER
by Randsec · poc
https://gitlab.com/Randsec/cve-2022-39952-honeypot

This repository implements a honeypot to detect exploitation attempts against CVE-2022-39952, a vulnerability in Fortinet FortiNAC. It captures payloads sent to the vulnerable endpoint `/configWizard/keyUpload.jsp` and stores them for analysis.

Classification
Scanner 90%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: Fortinet FortiNAC
No auth needed
Prerequisites: Network access to the target · Vulnerable FortiNAC instance
devstral-2 · analyzed Feb 23, 2026 Full analysis →
nomisec WORKING POC
by dkstar11q · remote
https://github.com/dkstar11q/CVE-2022-39952-better

This repository contains a functional exploit for CVE-2022-39952, a command injection vulnerability in Fortinet FortiNAC. The exploit allows arbitrary command execution via a malicious file upload to the `/configWizard/keyUpload.jsp` endpoint, delivering either a reverse shell or a webshell payload.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Fortinet FortiNAC
No auth needed
Prerequisites: Network access to the target FortiNAC server · Python 3.x with `requests` module
devstral-2 · analyzed Feb 19, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Gwendal Guégniaud, Zach Hanley, jheysel-r7 · rubypocunix
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/fortinac_keyupload_file_write.rb

This Metasploit module exploits an arbitrary file write vulnerability in Fortinet FortiNAC's keyUpload.jsp endpoint, allowing unauthenticated remote attackers to upload a payload and a cron job to achieve root-level command execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Fortinet FortiNAC versions 9.4 prior to 9.4.1, 9.2 prior to 9.2.6, 9.1 prior to 9.1.8, and all versions of 8.8, 8.7, 8.6, 8.5, and 8.3
No auth needed
Prerequisites: Network access to the target's web interface on port 8443
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Fortinet FortiNAC - Arbitrary File Write
CRITICALVERIFIEDby dwisiswant0
Shodan: title:"FortiNAC" || http.title:"fortinac"
FOFA: title="fortinac"

References (1)

Core 1
Core References

Scores

CVSS v3 9.8
EPSS 0.9981
EPSS Percentile 100.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

VulnCheck KEV 2023-07-05
InTheWild.io 2023-02-23
CWE
CWE-668 CWE-73
Status published
Products (1)
fortinet/fortinac 8.3.7 - 8.8.9
Published Feb 16, 2023
Tracked Since Feb 18, 2026