CVE-2022-41328

Vulnerability Profile Updated 3 months ago
Download STIX
Preview STIX
CVE-2022-41328 is a significant software vulnerability discovered in Fortinet's FortiOS. It was heavily targeted by China-nexus intrusion sets, particularly UNC3886, who exploited the vulnerability to deploy custom malware families on Fortinet and VMware systems. This exploitation occurred in September 2022, allowing the threat actors to write files directly to FortiGate firewall disks. The attackers also used the compromised appliances as a pivot point to gain access to ESXi infrastructure and subsequently to VM guests. The exploitation of CVE-2022-41328 was part of a broader campaign that involved several other zero-day vulnerabilities. For instance, Mandiant reported that the same group had previously exploited two Microsoft Exchange zero-day vulnerabilities (CVE-2022-41040 and CVE-2022-41082). In addition to this, the group leveraged another Fortinet zero-day vulnerability to install previously unknown Castletap and Thincrust backdoors onto FortiGate firewall devices. By March 2023, Fortinet had published security advisories addressing this high-severity security vulnerability. However, prior to these advisories, the suspected China-nexus threat actor had already gained persistent access to victim environments, deploying backdoors onto Fortinet and VMware solutions. The use of CVE-2022-41328 allowed the threat actors to bypass authentication and execute code with system privileges, demonstrating the serious nature of this vulnerability.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Fortios
Vulnerability
Malware
exploited
Fortinet
Mandiant
Chinese
Exploit
Fortigate
exploitation
Rootkit
Papercut
Esxi
China
flaw
Apt
Remote Code ...
RCE (Remote ...
Zero Day
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Unc3886Unspecified
2
UNC3886 is a threat actor with suspected links to China, known for its cyber espionage operations targeting global strategic organizations. Since 2021, this advanced persistent threat (APT) group has been exploiting a VMware zero-day vulnerability, identified as CVE-2023-34048. The cybersecurity ind
APT41Unspecified
1
APT41, also known as Winnti, Wicked Panda, and Wicked Spider, is a sophisticated threat actor attributed to China. This group has been active since at least 2012, targeting organizations across 14 countries. The group is known for its extensive use of various code families and tools, with at least 4
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
FollinaUnspecified
2
Follina, also known as CVE-2022-30190, is a notable software vulnerability that was discovered and exploited in the first half of 2022. This flaw, found in the Microsoft Windows Support Diagnostic Tool (MSDT), was weaponized by TA413, a cyber threat actor group with suspected ties to China. The grou
CVE-2021-44228Unspecified
1
CVE-2021-44228, also known as the Log4j vulnerability, is a software flaw found in Apache Log4j, a widely used logging utility. Despite multiple attempts by Advanced Persistent Threat (APT) actors to exploit this vulnerability in the ServiceDesk system, these efforts were unsuccessful. However, it b
CVE-2023-2868Unspecified
1
CVE-2023-2868 is a significant software vulnerability that was identified in the Barracuda Email Security Gateway (ESG) appliances. This flaw, specifically a remote command injection vulnerability, was disclosed by Barracuda on May 30th, 2023. The vulnerability had been exploited as early as October
CVE-2022-41040Unspecified
1
CVE-2022-41040 is a software vulnerability that was discovered in late September 2022, along with another flaw, CVE-2022-41082. These two zero-day vulnerabilities were collectively known as ProxyNotShell. The vulnerabilities were exploited to compromise Microsoft Exchange through the proxy mechanism
CVE-2021-44207Unspecified
1
CVE-2021-44207 is a significant software vulnerability that was exploited by APT41, a prolific Chinese state-sponsored espionage group known for targeting both public and private sector organizations. This flaw in the USAHerds web application's design or implementation mirrors a previously reported
CVE-2022-41082Unspecified
1
CVE-2022-41082 is a critical software vulnerability discovered in Microsoft Exchange Servers, which allows for Remote Code Execution (RCE). This flaw is one of two zero-day vulnerabilities found, the other being CVE-2022-41040. The RCE vulnerability presents a significant threat as it enables attack
ProxynotshellUnspecified
1
ProxyNotShell is a software vulnerability, specifically a flaw in the design or implementation of Microsoft Exchange Server. It was first identified and exploited through CVE-2022-41082, as reported by Palo Alto Networks' Unit 42. The ProxyNotShell exploit method leveraged an AutoDiscover endpoint t
CVE-2022-24682Unspecified
1
None
CVE-2023-25610Unspecified
1
None
CVE-2023-27350Unspecified
1
CVE-2023-27350 is a significant software vulnerability discovered in PaperCut NG/MF, a popular print management software. This flaw in software design or implementation allows attackers to bypass authentication and execute code with system privileges, posing a serious threat to both server and inter
Source Document References
Information about the CVE-2022-41328 Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CISA
4 months ago
Siemens RUGGEDCOM APE1808 with Fortigate NGFW Devices | CISA
CERT-EU
6 months ago
Chinese Hackers Silently Weaponized VMware Zero-Day Flaw for 2 Years
CERT-EU
6 months ago
Chinese hackers exploit VMware bug as zero-day for two years
CERT-EU
7 months ago
Infographic: A History of Network Device Threats and What Lies Ahead
CERT-EU
7 months ago
Infographic: A History of Network Device Threats and What Lies Ahead | #ransomware | #cybercrime | National Cyber Security Consulting
CERT-EU
10 months ago
My Tea's not cold : an overview of China's cyber threat – Global Security Mag Online
Securityaffairs
a year ago
Reptile Rootkit employed in attacks against Linux systems in South Korea
InfoSecurity-magazine
a year ago
Fortinet and PaperCut: Unveiling Critical Vulnerabilities in 2023
CERT-EU
a year ago
Top vulnerabilities so far of 2023: Apache Superset, Papercut, MOVEit and yes, ChatGPT
CERT-EU
a year ago
Which Critical Vulnerabilities Discovered in 2023 Can Do Serious Damage? Read Our Report
Securityaffairs
a year ago
Advanced actor targets Fortinet FortiOS in attacks on govt entities
CERT-EU
a year ago
CVE-2022-41328 in FortiOS Exploited in Highly Targeted Attacks
Securityaffairs
a year ago
China-linked APT likely linked to Fortinet zero-day attacks
Securityaffairs
a year ago
CISA adds Adobe ColdFusion bug to Known Exploited Vulnerabilities Catalog
CERT-EU
a year ago
Exploitation of Recent Fortinet Zero-Day Linked to Chinese Cyberspies
CERT-EU
a year ago
Cyber security week in review: March 17, 2023
CERT-EU
a year ago
Exploitation of Recent Fortinet Zero-Day Linked to Chinese Cyberspies | Antivirus and Security news
Malwarebytes
a year ago
Update now! Microsoft fixes two zero-day bugs
CERT-EU
a year ago
Chinese threat group suspected to be behind Fortinet zero-day attacks
Securityaffairs
a year ago
2022 Zero-Day exploitation continues at a worrisome pace