CVE-2022-41328

Vulnerability updated 7 months ago (2024-05-04T18:34:29.884Z)

Download STIX

Preview STIX

CVE-2022-41328 is a significant software vulnerability discovered in Fortinet's FortiOS. It was heavily targeted by China-nexus intrusion sets, particularly UNC3886, who exploited the vulnerability to deploy custom malware families on Fortinet and VMware systems. This exploitation occurred in September 2022, allowing the threat actors to write files directly to FortiGate firewall disks. The attackers also used the compromised appliances as a pivot point to gain access to ESXi infrastructure and subsequently to VM guests. The exploitation of CVE-2022-41328 was part of a broader campaign that involved several other zero-day vulnerabilities. For instance, Mandiant reported that the same group had previously exploited two Microsoft Exchange zero-day vulnerabilities (CVE-2022-41040 and CVE-2022-41082). In addition to this, the group leveraged another Fortinet zero-day vulnerability to install previously unknown Castletap and Thincrust backdoors onto FortiGate firewall devices. By March 2023, Fortinet had published security advisories addressing this high-severity security vulnerability. However, prior to these advisories, the suspected China-nexus threat actor had already gained persistent access to victim environments, deploying backdoors onto Fortinet and VMware solutions. The use of CVE-2022-41328 allowed the threat actors to bypass authentication and execute code with system privileges, demonstrating the serious nature of this vulnerability.

Description last updated: 2024-03-15T11:15:55.199Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Vulnerability

Fortios

Malware

Fortinet

Fortigate

Exploit

exploited

Mandiant

Chinese

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Unc3886 Threat Actor is associated with CVE-2022-41328. UNC3886 is a threat actor, believed to be linked to China, that has been active in cyberespionage activities. The group has been exploiting a zero-day vulnerability in VMware's vCenter Server, identified as CVE-2023-34048, since at least late 2021. This advanced persistent threat (APT) group's actio	Unspecified	2

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The Follina Vulnerability is associated with CVE-2022-41328. Follina (CVE-2022-30190) is a software vulnerability that was discovered and exploited in the first half of 2022. It was weaponized by TA413, a malicious entity known for its cyber attacks, shortly after its discovery and publication. The vulnerability was used to target the Sophos Firewall product,	Unspecified	2

Source Document References

Information about the CVE-2022-41328 Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CISA	8 months ago	Siemens RUGGEDCOM APE1808 with Fortigate NGFW Devices \| CISA
CERT-EU	10 months ago	Chinese Hackers Silently Weaponized VMware Zero-Day Flaw for 2 Years
CERT-EU	10 months ago	Chinese hackers exploit VMware bug as zero-day for two years
CERT-EU	10 months ago	Infographic: A History of Network Device Threats and What Lies Ahead
CERT-EU	10 months ago	Infographic: A History of Network Device Threats and What Lies Ahead \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	a year ago	My Tea's not cold : an overview of China's cyber threat – Global Security Mag Online
Securityaffairs	a year ago	Reptile Rootkit employed in attacks against Linux systems in South Korea
InfoSecurity-magazine	a year ago	Fortinet and PaperCut: Unveiling Critical Vulnerabilities in 2023
CERT-EU	a year ago	Top vulnerabilities so far of 2023: Apache Superset, Papercut, MOVEit and yes, ChatGPT
CERT-EU	a year ago	Which Critical Vulnerabilities Discovered in 2023 Can Do Serious Damage? Read Our Report
Securityaffairs	2 years ago	Advanced actor targets Fortinet FortiOS in attacks on govt entities
CERT-EU	2 years ago	CVE-2022-41328 in FortiOS Exploited in Highly Targeted Attacks
Securityaffairs	2 years ago	China-linked APT likely linked to Fortinet zero-day attacks
Securityaffairs	2 years ago	CISA adds Adobe ColdFusion bug to Known Exploited Vulnerabilities Catalog
CERT-EU	2 years ago	Exploitation of Recent Fortinet Zero-Day Linked to Chinese Cyberspies
CERT-EU	2 years ago	Cyber security week in review: March 17, 2023
CERT-EU	2 years ago	Exploitation of Recent Fortinet Zero-Day Linked to Chinese Cyberspies \| Antivirus and Security news
Malwarebytes	2 years ago	Update now! Microsoft fixes two zero-day bugs
CERT-EU	2 years ago	Chinese threat group suspected to be behind Fortinet zero-day attacks
Securityaffairs	2 years ago	2022 Zero-Day exploitation continues at a worrisome pace