⚠ Actively exploited
Added to CISA KEV on 2023-03-14. Federal agencies required to patch by 2023-04-04. Required action: Apply updates per vendor instructions..
CVE-2022-41328 — Path Traversal in Fortinet Fortios
Severity
7.1HIGHNVD
CNA6.7VulnCheck6.7
EPSS
0.3%
top 47.58%
CISA KEV
KEV
Added 2023-03-14
Due 2023-04-04
Exploit
Exploited in wild
Active exploitation observed
Affected products
Timeline
PublishedMar 7
KEV addedMar 14
KEV dueApr 4
Latest updateFeb 9
CISA Required Action: Apply updates per vendor instructions.
Description
A improper limitation of a pathname to a restricted directory vulnerability ('path traversal') [CWE-22] in Fortinet FortiOS version 7.2.0 through 7.2.3, 7.0.0 through 7.0.9 and before 6.4.11 allows a privileged attacker to read and write files on the underlying Linux system via crafted CLI commands.
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 1.8 | Impact: 5.2
Affected Packages2 packages
🔴Vulnerability Details
3CVEList▶
CVE-2022-41328: A improper limitation of a pathname to a restricted directory vulnerability ('path traversal') [CWE-22] in Fortinet FortiOS version 7↗2023-03-07
GHSA▶
GHSA-prj2-6g47-x68h: A improper limitation of a pathname to a restricted directory vulnerability ('path traversal') [CWE-22] in Fortinet FortiOS version 7↗2023-03-07
📋Vendor Advisories
3🕵️Threat Intelligence
8Tenable▶
Volt Typhoon: International Cybersecurity Authorities Detail Activity Linked to Chinese-State Sponsored Threat Actor↗2023-05-25