CVE-2022-41328

What is Fortinet FortiOS?

Fortinet FortiOS is the operating system powering FortiGate next-generation firewalls and security appliances — one of the most widely deployed network security products globally. FortiGate devices sit at network perimeters, making them high-value targets for nation-state actors seeking persistent access to victim networks. Compromising a FortiGate appliance grants visibility into all traffic passing through it and a foothold in the network that survives endpoint security tools.

Overview

CVE-2022-41328 is a path traversal vulnerability (CWE-22) in Fortinet FortiOS that allows a privileged attacker to read and write arbitrary files on the underlying FortiOS filesystem via crafted CLI commands. Despite requiring admin-level access (High privileges), the vulnerability's real-world significance is enormous: UNC3886, a Chinese-nexus espionage actor, exploited it to write custom malware implants directly into FortiOS appliances, achieving persistence that survived reboots and firmware updates. Mandiant published research on this exploitation in March 2023 simultaneously with the KEV addition.

Affected Versions

Technical Details

The path traversal vulnerability exists in FortiOS CLI command processing. A privileged attacker who has authenticated to the FortiOS management interface can craft CLI commands that include path traversal sequences to read or write files outside the intended authorized paths on the underlying filesystem.

• Authentication required: High — requires admin-level FortiOS credentials
• Impact of write access: The ability to write arbitrary files to FortiOS's filesystem allowed UNC3886 to:
  • Deploy THINCRUST (a custom Python-based backdoor on FortiOS's Linux base)
  • Deploy CASTLETAP (an ELF backdoor establishing covert C2 over ICMP)
  • Modify FortiOS system files to maintain persistence across reboots
• Persistence mechanism: Implants were placed in locations that survive standard patching and reboots on FortiOS appliances

Discovery

Identified through Mandiant's incident response work investigating UNC3886 intrusions. Mandiant and Fortinet coordinated disclosure.

Exploitation Context

UNC3886 is a sophisticated Chinese-nexus espionage group that targets network edge devices (firewalls, VPN appliances) specifically because these devices run specialized operating systems with limited security software visibility. By compromising FortiGate appliances via CVE-2022-41328, UNC3886 established long-term persistent access to defense, government, and technology sector victims. The implants (THINCRUST, CASTLETAP) were designed to survive FortiOS updates — a level of operational sophistication indicating a well-resourced, patient threat actor.

Remediation

1. Upgrade to the patched FortiOS version for your branch (see table above)
2. Check for implants before assuming patching is sufficient — use Fortinet's provided integrity checker or compare system file hashes against known-good values
3. Review FortiOS configuration and management access logs for unauthorized CLI commands or unexpected file modifications
4. Restrict FortiGate management interface access (HTTPS, SSH) to trusted management IPs only — the management interface should never be exposed to the internet
5. Enable FortiOS integrity checking features and review alerts
6. For suspected compromised devices, consider factory reset and reconfiguration from a clean baseline rather than simply patching