Fortinet FortiNAC RCE via arbitrary file upload
Description
Fortinet FortiNAC contains an unauthenticated arbitrary file write vulnerability in the /configWizard/keyUpload.jsp endpoint. The vulnerability stems from improper validation when extracting user-supplied ZIP archives, allowing directory traversal sequences to write files outside the intended directory. This affects FortiNAC versions 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, and all versions from 8.3 through 8.8. Attackers can exploit this flaw without authentication to upload malicious files to arbitrary locations on the server.
Remediation
Apply the appropriate security update immediately based on your current FortiNAC version:<br/><br/><ul><li>For version 9.4.x: Upgrade to FortiNAC version 9.4.1 or later</li><li>For version 9.2.x: Upgrade to FortiNAC version 9.2.6 or later</li><li>For version 9.1.x: Upgrade to FortiNAC version 9.1.8 or later</li><li>For versions 8.3 through 8.8: Upgrade to FortiNAC version 7.2.0 or later (or preferably to the latest 9.x branch)</li></ul><br/>As an interim mitigation measure if immediate patching is not possible, restrict network access to the FortiNAC web interface to trusted management networks only using firewall rules or access control lists. Monitor web server logs for suspicious POST requests to <strong>/configWizard/keyUpload.jsp</strong> and investigate any unexpected file uploads or modifications to the web application directory.