CVE-2021-44168

What is FortiOS's Restore Command?

Fortinet FortiOS is the operating system powering FortiGate firewalls and network appliances. The FortiOS CLI includes diagnostic and administrative commands for managing device configuration, including the execute restore command which restores device configurations or firmware from remote locations. The execute restore src-vis variant downloads files from a remote server specified by the operator. When this download operation does not verify the integrity or authenticity of the retrieved file (CWE-494: Download of Code Without Integrity Check), an attacker with CLI access can manipulate the download source or the file content to deliver a malicious firmware image or configuration file without the device detecting the substitution — potentially persisting malicious code on the FortiGate appliance.

Overview

CVE-2021-44168 is an arbitrary file download vulnerability (CWE-494: Download of Code Without Integrity Check) in Fortinet FortiOS. The execute restore src-vis CLI command downloads files from attacker-specified sources without verifying their integrity or digital signature. An authenticated low-privilege CLI user can exploit this to download and potentially execute malicious files on the FortiOS device. Notably, CISA added CVE-2021-44168 to the KEV catalog on December 10, 2021 — 25 days before NVD published the CVE on January 4, 2022 — indicating CISA had intelligence of active exploitation before full public disclosure.

Affected Versions

Technical Details

• Root cause: Download of code without integrity check (CWE-494) — the execute restore src-vis command fetches files from a remote URL without verifying a cryptographic signature or checksum of the downloaded content; this allows the content to be substituted (via man-in-the-middle, attacker-controlled server, or DNS manipulation) with malicious firmware or configuration without detection
• Attacker-controlled download source: With CLI access, an authenticated attacker can specify an attacker-controlled server as the download source, delivering a malicious configuration file or firmware image directly; the device downloads and processes the file without integrity verification
• Persistence risk: Malicious firmware delivered via this path could persist on FortiGate devices through reboots and other remediation attempts that don't include a verified clean reinstall — network appliance firmware persistence is a known post-exploitation technique used by advanced threat actors targeting Fortinet devices
• CISA pre-NVD KEV addition: CISA added this to KEV on December 10, 2021, before NVD published the CVE on January 4, 2022 — an unusual sequence indicating CISA had confirmed exploitation intelligence from partner intelligence sources or incident response before public disclosure, reflecting the urgency of patching actively-exploited FortiOS vulnerabilities
• Context with other FortiOS CVEs: The December 2021 timeframe coincides with active exploitation campaigns against FortiGate devices; Fortinet disclosed multiple vulnerabilities in this period, and CVE-2021-44168's rapid KEV addition suggests it was being used alongside other FortiOS vulnerabilities in active attacks

Discovery

Discovered and disclosed by Fortinet in the December 2021 PSIRT advisory FG-IR-21-235. CISA's pre-NVD KEV addition indicates government cybersecurity intelligence identified active exploitation before or coincident with Fortinet's disclosure — consistent with coordinated vulnerability disclosure for actively-exploited vulnerabilities in critical infrastructure security equipment.

Exploitation Context

Fortinet FortiGate firewalls and VPN appliances are widely deployed in enterprise, government, and critical infrastructure networks. Vulnerabilities in FortiOS are attractive to nation-state actors and ransomware groups because: (1) network security appliances are trusted by default and receive less endpoint security monitoring than servers and workstations, (2) persistent code on a firewall provides long-term network access, (3) firewalls sit at network boundaries with visibility into all traffic. CVE-2021-44168's integrity-checking bypass is particularly relevant in the context of FortiGate firmware implant attacks documented by security researchers — where malicious firmware modifications on FortiGate devices allowed persistent, stealthy access to enterprise networks even after other remediation steps were taken.

Remediation

1. Upgrade FortiOS to 7.0.5 or later (for 7.0.x) or 6.4.10 or later (for 6.4.x) — patches the integrity check requirement for restore operations
2. Restrict CLI access to FortiGate devices: only authorized administrators via trusted management workstations and management VLANs; disable CLI access from production interfaces
3. Review FortiGate device integrity: check for unexpected configuration changes or firmware modifications; verify firmware version matches expected Fortinet-signed builds
4. Enable Fortinet's firmware verification features if available on your device model and FortiOS version
5. Monitor for execute restore commands in FortiOS audit logs — unexpected restore operations from unusual source IPs or domains should trigger incident response
6. Apply FortiGate management best practices: dedicate a separate out-of-band management interface, require MFA for admin access, and restrict management protocols (HTTPS/SSH) to management VLAN only