Fortinet FortiNAC keyUpload.jsp Arbitrary File Write

This Metasploit module uploads a payload to the /tmp directory in addition to a cron job to /etc/cron.d which executes the payload in the context of the root user. The core vulnerability is an arbitrary file write issue in /configWizard/keyUpload.jsp which is accessible remotely and without authentication. When you send the vulnerable endpoint a ZIP file, it will extract an attacker controlled file to a directory of the attackers choice on the target system. This issue is exploitable on FortiNAC …

addition attackers authentication context cron directory endpoint etc extract file fortinac fortinet fortinet fortinac issue job metasploit payload root send system target vulnerability vulnerable zip