CVE-2022-41328
published 2023-03-07CVE-2022-41328: A improper limitation of a pathname to a restricted directory vulnerability ('path traversal') [CWE-22] in Fortinet FortiOS version 7.2.0 through 7.2.3, 7.0.0…
PriorityP183high7.1CVSS 3.1
AVLACLPRLUINSUCHIHAN
KEVITW
CISA Known Exploited Vulnerabilitydue 2023-04-04
Exploited in the wild
EPSS
12.32%
95.7th percentile
A improper limitation of a pathname to a restricted directory vulnerability ('path traversal') [CWE-22] in Fortinet FortiOS version 7.2.0 through 7.2.3, 7.0.0 through 7.0.9 and before 6.4.11 allows a privileged attacker to read and write files on the underlying Linux system via crafted CLI commands.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fortinet | fortinet | — | — |
| fortinet | fortios | — | — |
| fortinet | fortios | 6.0.0 – 6.0.16 | — |
| fortinet | fortios | >= 6.2.0 < 6.2.14 | 6.2.14 |
| fortinet | fortios | 6.2.0 – 6.2.13 | — |
| fortinet | fortios | >= 6.4.0 < 6.4.12 | 6.4.12 |
| fortinet | fortios | 6.4.0 – 6.4.11 | — |
| fortinet | fortios | >= 7.0.0 < 7.0.10 | 7.0.10 |
| fortinet | fortios | 7.0.0 – 7.0.9 | — |
| fortinet | fortios | >= 7.2.0 < 7.2.4 | 7.2.4 |
| fortinet | fortios | 7.2.0 – 7.2.3 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Inspect HTTP requests to FortiManager for the presence of cookies FGMGTOKEN and DEVICEID, which are used by the backdoor to receive RC4-encoded commands. ↗
- →Monitor for traffic redirection targeting destination port 541 (FortiGuard management port) from unexpected source IPs, as the 'auth' malware redirects such traffic to attacker-controlled ports. ↗
- ·FIPS mode on FortiGate devices provides a detection mechanism: if firmware integrity is breached, the device halts and refuses to boot. Organizations without FIPS enabled may not receive this automatic tamper alert. ↗
- ·The contents of scripts executed via FortiManager's upload script feature are not retained on the device, limiting forensic visibility into what commands were delivered to FortiGate devices. ↗
- ·The 'auth' malware reads the source IP and redirect port from a network socket dynamically, meaning the redirect destination port is not static and cannot be hardcoded into detection rules. ↗
- ·The 'localnet' startup script modification re-enables firmware verification at boot to mask the fact that 'smit' was tampered with, potentially defeating post-reboot integrity checks. ↗
CVSS provenance
nvdv3.17.1HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
vulncheck6.7MEDIUM
cisa7.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-prj2-6g47-x68h: A improper limitation of a pathname to a restricted directory vulnerability ('path traversal') [CWE-22] in Fortinet FortiOS version 7
ghsa_unreviewed·2023-03-07
CVE-2022-41328 [HIGH] CWE-22 GHSA-prj2-6g47-x68h: A improper limitation of a pathname to a restricted directory vulnerability ('path traversal') [CWE-22] in Fortinet FortiOS version 7
A improper limitation of a pathname to a restricted directory vulnerability ('path traversal') [CWE-22] in Fortinet FortiOS version 7.2.0 through 7.2.3, 7.0.0 through 7.0.9 and before 6.4.11 allows a privileged attacker to read and write files on the underlying Linux system via crafted CLI commands.
VulnCheck
Fortinet FortiOS Path Traversal Vulnerability
vulncheck·2022·CVSS 6.7
CVE-2022-41328 [MEDIUM] CWE-22 Fortinet FortiOS Path Traversal Vulnerability
Fortinet FortiOS Path Traversal Vulnerability
Fortinet FortiOS contains a path traversal vulnerability that may allow a local privileged attacker to read and write files via crafted CLI commands.
Affected: Fortinet FortiOS
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.fortinet.com/blog/psirt-blogs/fg-ir-22-369-psirt-analysis; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://cloud.google.com/blog/topics/threat-intelligence/fortinet-malware-ecosystem/; https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem; https://www.mandiant.com/resources/blog/zero-days-exploited-2022; https://www.mandiant.com/resources/blog/chinese-espionage-tactics; https://information.rapid7.com/rs/411-NAK-970/ima
CISA ICS
Siemens RUGGEDCOM APE1808 with Fortigate NGFW Devices
cisa_ics·2024-03-14
Siemens RUGGEDCOM APE1808 with Fortigate NGFW Devices
ICS Advisory
##
Siemens RUGGEDCOM APE1808 with Fortigate NGFW Devices
Release DateMarch 14, 2024
Alert CodeICSA-24-074-11
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Siemens
- Equipment: RUGGEDCOM APE1808 devices
- Vulnerabilities: Improper Certificate Validation, Cleartext Transmission of Sensitive Information, Path Traversal, Exposure of Sensitive Information to an Unauthorized
CISA
Fortinet FortiOS Path Traversal Vulnerability
cisa·2023-03-14·CVSS 7.1
CVE-2022-41328 [HIGH] CWE-22 Fortinet FortiOS Path Traversal Vulnerability
Vulnerability: Fortinet FortiOS Path Traversal Vulnerability
Affected: Fortinet FortiOS
Fortinet FortiOS contains a path traversal vulnerability that may allow a local privileged attacker to read and write files via crafted CLI commands.
Required Action: Apply updates per vendor instructions.
Notes: https://www.fortiguard.com/psirt/FG-IR-22-369; https://nvd.nist.gov/vuln/detail/CVE-2022-41328
Remediation Due Date: 2023-04-04
Fortinet
Path traversal in execute command
vendor_fortinet·2023-03-07·CVSS 6.7
CVE-2022-41328 [MEDIUM] CWE-22 Path traversal in execute command
FG-IR-22-369: Path traversal in execute command
A improper limitation of a pathname to a restricted directory vulnerability ('path traversal') [CWE-22] in Fortinet FortiOS version 7.2.0 through 7.2.3, 7.0.0 through 7.0.9 and before 6.4.11 allows a privileged attacker to read and write files on the underlying Linux system via crafted CLI commands.
CVEs: CVE-2022-41328
CWEs: CWE-22
CVSS: 6.7 (medium)
Affected products: FortiOS, Fortinet
No detection rules found.
No public exploits indexed.
Bleepingcomputer
Chinese cyberspies breach Singapore's four largest telcos
blogs_bleepingcomputer·2026-02-09
Chinese cyberspies breach Singapore's four largest telcos
## Chinese cyberspies breach Singapore's four largest telcos
## Bill Toulas
The Chinese threat actor tracked as UNC3886 breached Singapore’s four largest telecommunication service providers, Singtel, StarHub, M1, and Simba, at least once last year.
The hackers also gained limited access to critical systems but did not pivot deep enough to disrupt services.
In response to the intrusions, which were disclosed in July 2025, Singapore deployed ‘Operation Cyber Guardian’ to limit the adversary's activity on the telco's networks, but very few details were shared at the time.
"Over the past months, our investigations have indicated that UNC3886 had launched a deliberate, targeted, and well-planned campaign against Singapore’s telecommunications sector," Singapore's Cyber Security Agency (CSA
Trendmicro
Revisiting UNC3886 Tactics to Defend Against Present Risk
blogs_trendmicro·2025-07-28
Revisiting UNC3886 Tactics to Defend Against Present Risk
APT & Targeted Attacks
# Revisiting UNC3886 Tactics to Defend Against Present Risk
We examine the past tactics used by UNC3886 to gain insight on how to best strengthen defenses against the ongoing and emerging threats of this APT group.
By: Cj Arsley Mateo, Ieriz Nicolle Gonzalez, Jacob Santos, Paul John Bardon, Angelo Junio, Rayven Cervantes
2025/07/28
Read time: ( words)
Save to Folio
## Key Takeaways
- UNC3886 is an APT group that has historically targeted critical infrastructure, including telecommunications, government, technology, and defense, with a recent attack against Singapore.
- The group is known for rapidly exploiting zero-day and high-impact vulnerabilities in network and virtualization devices such as VMware vCenter/ESXi, Fortinet FortiOS, and Juniper Junos OS.
- UN
Bleepingcomputer
Chinese cyberspies backdoor Juniper routers for stealthy access
blogs_bleepingcomputer·2025-03-12·CVSS 6.7
[MEDIUM] Chinese cyberspies backdoor Juniper routers for stealthy access
## Chinese cyberspies backdoor Juniper routers for stealthy access
## Bill Toulas
Chinese hackers are deploying custom backdoors on Juniper Networks Junos OS MX routers that have reached end-of-life (EoL) and no longer receive security updates.
The backdoors are primarily variants of the TinyShell malware, an open-source tool that facilitates data exchange and command execution on Linux systems, and which has been used by multiple threat groups over the years.
The attacks were discovered in mid-2024 by Mandiant, who attributed the attacks to a cyberespionage threat actor known as UNC3886.
"In mid 2024, Mandiant discovered threat actors deployed custom backdoors operating on Juniper Networks' Junos OS routers," explains a new report by Mandiant .
"Mandiant attributed these backdoors t
Bleepingcomputer
Chinese hackers exploit VMware bug as zero-day for two years
blogs_bleepingcomputer·2024-01-19·CVSS 3.9
CVE-2023-34048 [LOW] Chinese hackers exploit VMware bug as zero-day for two years
## Chinese hackers exploit VMware bug as zero-day for two years
## Sergiu Gatlan
A Chinese hacking group has been exploiting a critical vCenter Server vulnerability (CVE-2023-34048) as a zero-day since at least late 2021.
The flaw was patched in October , with VMware confirming this Wednesday that it's aware of CVE-2023-34048 in-the-wild exploitation, although it didn't share any other details on the attacks.
However, as security firm Mandiant revealed today, the vulnerability was used by the UNC3886 Chinese cyber espionage group as part of a previously reported campaign , exposed in June 2023.
The cyberspies used it to breach their targets' vCenter servers and compromised credentials to deploy VirtualPita and VirtualPie backdoors on ESXi hosts via maliciously crafted vSphere Installa
Tenable
Volt Typhoon: International Cybersecurity Authorities Detail Activity Linked to Chinese-State Sponsored Threat Actor
blogs_tenable·2023-05-25
Volt Typhoon: International Cybersecurity Authorities Detail Activity Linked to Chinese-State Sponsored Threat Actor
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Wiz
The First Edition of Crying Out Cloud - The Newsletter! | Wiz
blogs_wiz·2023-04-11·CVSS 6.7
CVE-2023-25610 [MEDIUM] The First Edition of Crying Out Cloud - The Newsletter! | Wiz
The world of cloud security is ever-evolving, and the Wiz Research team is here to keep you updated. This month several impactful vulnerabilities were published, and we observed a few unfortunate security incidents which should be of interest to cloud customers.
Here's a summary of our top picks, enjoy!
## ✨ Highlights
## 🐞 High Profile Vulnerabilities
## Critical RCE vulnerability in Fortinet's FortiOS and FortiProxy
On March 7, Fortinet published an advisory for CVE-2023-25610, a critical buffer underwrite vulnerability in FortiOS. This vulnerability is a bug in the administrative interface which could allow a remote unauthenticated attacker to execute code using specially crafted requests. Based on Wiz data, 7% of cloud enterprise environments are still susceptible to this vulnerab
Checkpoint
20th March – Threat Intelligence Report
blogs_checkpoint·2023-03-20·CVSS 7.1
CVE-2023-0669 [HIGH] 20th March – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 20th March – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 20th March, please download our Threat_Intelligence Bulletin
TOP ATTACKS AND BREACHES
Hitachi Energy reported a data breach caused by the Clop ransomware group which exploited a zero-day vulnerability (CVE-2023-0669) in the Fortra GoAnywhere MFT system, which was used by Hitachi.
Check Point IPS, Threat Emulation and Harmony Endpoint provide protection against this threat (GoAnywhere MFT Insecure Deserializatio
Fortinet
Analysis of FG-IR-22-369 | Fortinet Blog
blogs_fortinet·2023-03-09·CVSS 6.7
CVE-2022-41328 [MEDIUM] Analysis of FG-IR-22-369 | Fortinet Blog
PSIRT BLOGS
Analysis of FG-IR-22-369
By Guillaume Lovet and Alex Kong | March 09, 2023
Affected Platforms: FortiOS
Impacted Users: Government & large organizations
Impact: Data loss and OS and file corruption
Severity Level: High
Fortinet published a CVSS Medium PSIRT Advisory (FG-IR-22-369 / CVE-2022-41328) on March 7th, 2023. The following write-up details our initial investigation into the incident that led to the discovery of this vulnerability and additional IoCs identified during our ongoing analysis.
Executive Summary
Multiple IoCs have been uncovered related to the incident FG-IR-22-369 / CVE-2022-41328.
The complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets.
Incident Analysis
Fortinet’s investigat
Threat Intel
UNC3886 (UNC3886)
threat_intel
UNC3886 (UNC3886)
# Threat Actor Profile: UNC3886
ATT&CK ID: G1048
Also known as: UNC3886
Suspected origin: China
## Overview
UNC3886 is a China-nexus cyberespionage group that has been active since at least 2022, targeting defense, technology, and telecommunication organizations located in the United States and the Asia-Pacific-Japan (APJ) regions. UNC3886 has displayed a deep understanding of edge devices and virtualization technologies through the exploitation of zero-day vulnerabilities and the use of novel malware families and utilities.(Citation: Mandiant Fortinet Zero Day)(Citation: Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023)
## Campaigns
- **RedPenguin** (C0056) [2024-07-01T04:00:00.000Z to 2025-03-01T05:00:00.000Z]
The RedPenguin project was launched by Juniper in July 2024 to inv
2023-03-07
Published
2023-03-14
Added to CISA KEV
Exploited in the wild