Fortinet RCE vulnerability

This live blog contains information regarding the Fortinet RCE vulnerability. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog. Last updated on March 14, 2023.

Update March 14, 2023

On the 7th of March 2023, Fortinet published an Advisory in which they describe CVE-2022-41328. This vulnerability is an improper limitation of a pathname to a restricted directory also known as path traversal in FortiOS allowing a privileged attacker to read and write arbitrary files via crafted CLI commands.

Unknown attackers possibly exploited CVE-2022-42475 or CVE-2023-25610 to get privileges required to abuse CVE-2022-41328. This later vulnerability was used this month in attacks targeting government and large organizations that have led to OS and file corruption and data loss.

The vulnerability exists in the following products:

• FortiOS version 7.2.0 through 7.2.3
• FortiOS version 7.0.0 through 7.0.9
• FortiOS version 6.4.0 through 6.4.11
• FortiOS 6.2 all versions
• FortiOS 6.0 all versions

Fortinet has published updates patching the vulnerability. It is strongly advised to upgrade as soon as possible.

• Please upgrade to FortiOS version 7.2.4 or above
• Please upgrade to FortiOS version 7.0.10 or above
• Please upgrade to FortiOS version 6.4.12 or above

Fortinet published an analysis into the incident and provides IoCs identified during their ongoing analysis. It is recommended to validate your systems against the following indicators of compromise:

System/Logs

• String “execute wireless-controller hs20-icon upload-icon”
• String “User FortiManager_Access via fgfmd upload and run script”

Network

• 47.252.20.90

File Hashes

• Auth – b6e92149efaf78e9ce7552297505b9d5
• Klogd – 53a69adac914808eced2bf8155a7512d
• Support – 9ce2459168cf4b5af494776a70e0feda
• Smit – e3f342c212bb8a0a56f63490bf00ca0c
• Localnet – 88711ebc99e1390f1ce2f42a6de0654d
• Urls.py – 64bdf7a631bc76b01b985f1d46b35ea6
• Views.py – 3e43511c4f7f551290292394c4e21de7
• Fgfm – e2d2884869f48f40b32fb27cc3bdefff

Call to action

1. Determine if your Fortinet product(s) is/are vulnerable;
2. Apply the available software patches;
3. Analyse the log files of the devices for indicators of exploitation;
4. Analyse log files of other security solutions for indicators of exploitation;
5. Contact Fortinet Customer Support, Tesorion-SOC or Tesorion-CERT in case indicators of exploitation are identified or if assistance is required.

If any suspicious or malicious activity is detected in relation to this article, please contact T-CERT. The Tesorion Computer Emergency Response Team offers specialist support 24/7. In emergencies, we immediately conduct an initial assessment by telephone and do all we can to get the situation under control as soon as possible.

More information:

• Fortinet PSIRT Advisory: https://www.fortiguard.com/psirt/FG-IR-22-369
• Fortinet Analysis of FG-IR-22-369 https://www.fortinet.com/blog/psirt-blogs/fg-ir-22-369-psirt-analysis