CVE-2023-33299

CRITICAL

Fortinet FortiNAC <7.2.1, <9.4.3, <9.2.8, <=8.x - Use After Free

Title source: llm

Description

A deserialization of untrusted data in Fortinet FortiNAC below 7.2.1, below 9.4.3, below 9.2.8 and all earlier versions of 8.x allows attacker to execute unauthorized code or commands via specifically crafted request on inter-server communication port. Note FortiNAC versions 8.x will not be fixed.

References (1)

[Vendor Advisory] https://fortiguard.com/psirt/FG-IR-23-074

Scores

CVSS v3 9.8

EPSS 0.0999

EPSS Percentile 92.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status published

Affected Products (7)

fortinet/fortinac < 8.5.4

fortinet/fortinac

Timeline

Published Jun 23, 2023

Tracked Since Feb 18, 2026