CVE-2022-41328

Vulnerability updated 6 months ago (2024-05-04T18:34:29.884Z)
Download STIX
Preview STIX
CVE-2022-41328 is a significant software vulnerability discovered in Fortinet's FortiOS. It was heavily targeted by China-nexus intrusion sets, particularly UNC3886, who exploited the vulnerability to deploy custom malware families on Fortinet and VMware systems. This exploitation occurred in September 2022, allowing the threat actors to write files directly to FortiGate firewall disks. The attackers also used the compromised appliances as a pivot point to gain access to ESXi infrastructure and subsequently to VM guests. The exploitation of CVE-2022-41328 was part of a broader campaign that involved several other zero-day vulnerabilities. For instance, Mandiant reported that the same group had previously exploited two Microsoft Exchange zero-day vulnerabilities (CVE-2022-41040 and CVE-2022-41082). In addition to this, the group leveraged another Fortinet zero-day vulnerability to install previously unknown Castletap and Thincrust backdoors onto FortiGate firewall devices. By March 2023, Fortinet had published security advisories addressing this high-severity security vulnerability. However, prior to these advisories, the suspected China-nexus threat actor had already gained persistent access to victim environments, deploying backdoors onto Fortinet and VMware solutions. The use of CVE-2022-41328 allowed the threat actors to bypass authentication and execute code with system privileges, demonstrating the serious nature of this vulnerability.
Description last updated: 2024-03-15T11:15:55.199Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Vulnerability
Fortios
Malware
Fortinet
Fortigate
Exploit
exploited
Mandiant
Chinese
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Unc3886 Threat Actor is associated with CVE-2022-41328. UNC3886 is a threat actor, believed to be linked to China, that has been active in cyberespionage activities. The group has been exploiting a zero-day vulnerability in VMware's vCenter Server, identified as CVE-2023-34048, since at least late 2021. This advanced persistent threat (APT) group's actioUnspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The Follina Vulnerability is associated with CVE-2022-41328. Follina (CVE-2022-30190) is a software vulnerability that was discovered and exploited in the first half of 2022. It was weaponized by TA413, a malicious entity known for its cyber attacks, shortly after its discovery and publication. The vulnerability was used to target the Sophos Firewall product,Unspecified
2
Source Document References
Information about the CVE-2022-41328 Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
CISA
8 months ago
CERT-EU
10 months ago
CERT-EU
10 months ago
CERT-EU
10 months ago
CERT-EU
10 months ago
CERT-EU
a year ago
Securityaffairs
a year ago
InfoSecurity-magazine
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
Securityaffairs
2 years ago
CERT-EU
2 years ago
Securityaffairs
2 years ago
Securityaffairs
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
Malwarebytes
2 years ago
CERT-EU
2 years ago
Securityaffairs
2 years ago