CVE-2022-41328

Vulnerability Profile Updated a month ago
Download STIX
Preview STIX
CVE-2022-41328 is a significant software vulnerability discovered in Fortinet's FortiOS. It was heavily targeted by China-nexus intrusion sets, particularly UNC3886, who exploited the vulnerability to deploy custom malware families on Fortinet and VMware systems. This exploitation occurred in September 2022, allowing the threat actors to write files directly to FortiGate firewall disks. The attackers also used the compromised appliances as a pivot point to gain access to ESXi infrastructure and subsequently to VM guests. The exploitation of CVE-2022-41328 was part of a broader campaign that involved several other zero-day vulnerabilities. For instance, Mandiant reported that the same group had previously exploited two Microsoft Exchange zero-day vulnerabilities (CVE-2022-41040 and CVE-2022-41082). In addition to this, the group leveraged another Fortinet zero-day vulnerability to install previously unknown Castletap and Thincrust backdoors onto FortiGate firewall devices. By March 2023, Fortinet had published security advisories addressing this high-severity security vulnerability. However, prior to these advisories, the suspected China-nexus threat actor had already gained persistent access to victim environments, deploying backdoors onto Fortinet and VMware solutions. The use of CVE-2022-41328 allowed the threat actors to bypass authentication and execute code with system privileges, demonstrating the serious nature of this vulnerability.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Vulnerability
Fortios
Malware
Fortinet
Chinese
Mandiant
exploited
Fortigate
Exploit
RCE (Remote ...
Zero Day
Esxi
exploitation
flaw
Rootkit
Apt
Papercut
China
Remote Code ...
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Unc3886Unspecified
2
UNC3886 is a threat actor with suspected links to Beijing, China, that has been active in the cyber-espionage landscape. A threat actor refers to any human entity behind the execution of actions with malicious intent, which can range from an individual hacker to a private company or even part of a g
APT41Unspecified
1
APT41, also known as Winnti, Wicked Panda, and Wicked Spider, among other names, is a threat actor suspected to originate from China. With potential ties to the Chinese government, APT41 has been involved in complex cyber espionage operations since at least 2012, targeting organizations in at least
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
FollinaUnspecified
2
Follina, also known as CVE-2022-30190, is a notable software vulnerability that was discovered and exploited in the first half of 2022. This flaw, found in the Microsoft Windows Support Diagnostic Tool (MSDT), was weaponized by TA413, a cyber threat actor group with suspected ties to China. The grou
CVE-2021-44228Unspecified
1
CVE-2021-44228, also known as Log4Shell, is a critical vulnerability in the Apache Log4j software library that has been widely exploited since its discovery. This flaw in software design or implementation allows for remote code execution, making it a prime target for malicious actors. Despite multip
CVE-2023-2868Unspecified
1
CVE-2023-2868 is a significant software vulnerability that was identified in the Barracuda Email Security Gateway (ESG) appliances. This flaw, specifically a remote command injection vulnerability, was disclosed by Barracuda on May 30th, 2023. The vulnerability had been exploited as early as October
CVE-2022-41040Unspecified
1
CVE-2022-41040 is a software vulnerability that was discovered in late September 2022, along with another flaw, CVE-2022-41082. These two zero-day vulnerabilities were collectively known as ProxyNotShell. The vulnerabilities were exploited to compromise Microsoft Exchange through the proxy mechanism
CVE-2021-44207Unspecified
1
CVE-2021-44207 is a significant software vulnerability that was exploited by APT41, a prolific Chinese state-sponsored espionage group known for targeting both public and private sector organizations. This flaw in the USAHerds web application's design or implementation mirrors a previously reported
CVE-2022-41082Unspecified
1
CVE-2022-41082 is a critical software vulnerability discovered in Microsoft Exchange Servers, which allows for Remote Code Execution (RCE). This flaw is one of two zero-day vulnerabilities found, the other being CVE-2022-41040. The RCE vulnerability presents a significant threat as it enables attack
ProxynotshellUnspecified
1
ProxyNotShell is a software vulnerability, specifically a flaw in the design or implementation of Microsoft Exchange Server. It was first identified and exploited through CVE-2022-41082, as reported by Palo Alto Networks' Unit 42. The ProxyNotShell exploit method leveraged an AutoDiscover endpoint t
CVE-2022-24682Unspecified
1
None
CVE-2023-25610Unspecified
1
None
CVE-2023-27350Unspecified
1
CVE-2023-27350 is a significant software vulnerability discovered in PaperCut NG/MF, a popular print management software. This flaw in software design or implementation allows attackers to bypass authentication and execute code with system privileges, posing a serious threat to both server and inter
Source Document References
Information about the CVE-2022-41328 Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
5 months ago
Infographic: A History of Network Device Threats and What Lies Ahead | #ransomware | #cybercrime | National Cyber Security Consulting
CSO Online
a year ago
55 zero-day flaws exploited last year show the importance of security risk management
Securityaffairs
10 months ago
Reptile Rootkit employed in attacks against Linux systems in South Korea
CERT-EU
5 months ago
Chinese Hackers Silently Weaponized VMware Zero-Day Flaw for 2 Years
Securityaffairs
a year ago
2022 Zero-Day exploitation continues at a worrisome pace
Securityaffairs
a year ago
China-linked APT likely linked to Fortinet zero-day attacks
CISA
3 months ago
Siemens RUGGEDCOM APE1808 with Fortigate NGFW Devices | CISA
Malwarebytes
a year ago
Update now! Microsoft fixes two zero-day bugs
CERT-EU
5 months ago
Chinese hackers exploit VMware bug as zero-day for two years
DARKReading
a year ago
Attackers Are Probing for Zero-Day Vulns in Edge Infrastructure Products
Checkpoint
a year ago
20th March – Threat Intelligence Report - Check Point Research
CERT-EU
a year ago
Cyber security week in review: March 17, 2023
Securityaffairs
a year ago
CISA adds Adobe ColdFusion bug to Known Exploited Vulnerabilities Catalog
CERT-EU
a year ago
Which Critical Vulnerabilities Discovered in 2023 Can Do Serious Damage? Read Our Report
CERT-EU
9 months ago
My Tea's not cold : an overview of China's cyber threat – Global Security Mag Online
CERT-EU
a year ago
CVE-2022-41328 in FortiOS Exploited in Highly Targeted Attacks
InfoSecurity-magazine
a year ago
Fortinet and PaperCut: Unveiling Critical Vulnerabilities in 2023
CERT-EU
a year ago
Chinese threat group suspected to be behind Fortinet zero-day attacks
CERT-EU
a year ago
Top vulnerabilities so far of 2023: Apache Superset, Papercut, MOVEit and yes, ChatGPT
CERT-EU
a year ago
Weakness at the Network Edge: Mandiant Examines 2022's Zero-Day Exploits | eSecurityPlanet