FortiNAC - Improper access control on administrative panels


An access control vulnerability [CWE-284] in FortiNAC may allow a remote attacker authenticated on the administrative interface to perform unauthorized jsp calls via crafted HTTP requests.

Affected Products

At least
FortiNAC version 9.4.0 through 9.4.2
FortiNAC 9.2.0 through 9.2.7
FortiNAC 9.1 all versions
FortiNAC 8.8 all versions
FortiNAC 8.7 all versions
FortiNAC 8.6 all versions
FortiNAC 8.5 all versions


Please upgrade to FortiNAC-F version 7.2.0 or above
Please upgrade to FortiNAC version 9.4.3 or above
Please upgrade to FortiNAC version 9.2.8 or above



Internally discovered and reported by Giulia Clerici and Théo Leleu of the Fortinet Product Security team.


2023-05-09: Initial publication