CVE-2022-38375
📋 TL;DR
CVE-2022-38375 is an improper authorization vulnerability in Fortinet FortiNAC that allows unauthenticated attackers to perform administrative operations via crafted HTTP POST requests. This affects FortiNAC versions 9.4.0 through 9.4.1 and versions before 9.2.6, potentially giving attackers administrative control over the FortiNAC instance.
💻 Affected Systems
- Fortinet FortiNAC
📦 What is this software?
Fortinac by Fortinet
Fortinac by Fortinet
Fortinac F by Fortinet
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the FortiNAC instance, allowing attackers to modify configurations, create administrative accounts, disable security controls, and potentially pivot to other network systems.
Likely Case
Attackers gain administrative access to FortiNAC, enabling them to modify network access policies, create backdoor accounts, and disrupt network operations.
If Mitigated
Limited impact if proper network segmentation and access controls prevent external access to FortiNAC management interfaces.
🎯 Exploit Status
The vulnerability requires only crafted HTTP POST requests, making exploitation straightforward for attackers with network access to the FortiNAC interface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.4.2 or 9.2.6 and later
Vendor Advisory: https://fortiguard.com/psirt/FG-IR-22-329
Restart Required: Yes
Instructions:
1. Download the appropriate patch from Fortinet support portal. 2. Backup current configuration. 3. Apply the patch following Fortinet's upgrade procedures. 4. Restart the FortiNAC instance. 5. Verify the version is updated to 9.4.2 or 9.2.6+.
🔧 Temporary Workarounds
Network Access Restriction
allRestrict network access to FortiNAC management interfaces to trusted IP addresses only.
Web Application Firewall
allDeploy a WAF with rules to block suspicious HTTP POST requests to FortiNAC endpoints.
🧯 If You Can't Patch
- Isolate FortiNAC management interfaces from untrusted networks using firewall rules.
- Implement strict network segmentation to limit potential lateral movement if compromised.
🔍 How to Verify
Check if Vulnerable:
Check FortiNAC version via web interface (System > Status) or CLI 'get system status' command.Check Version:
get system status | grep VersionVerify Fix Applied:
Verify version is 9.4.2 or higher, or 9.2.6 or higher. Test with authorized security assessment tools.📡 Detection & Monitoring
Log Indicators:
- Unauthenticated POST requests to administrative endpoints
- Unusual administrative actions from unexpected IP addresses
- Failed authentication attempts followed by successful administrative operations
Network Indicators:
- HTTP POST requests to FortiNAC administrative endpoints from external/untrusted sources
- Unusual traffic patterns to FortiNAC management ports
SIEM Query:
source="fortinac" AND (http_method="POST" AND (url_path="/admin/*" OR url_path="/api/*")) AND user="-"