New FortiOS bug exploited in attacks targeting government orgs

New FortiOS bug exploited in attacks targeting government orgs

Threat actors used a recently patched vulnerability in Fortinet FortiOS software in attacks aimed at government entities and government-related organizations with the likely goal to steal data.

The zero-day vulnerability in question is CVE-2022-41328, a path traversal issue stemming from input validation error occurring when processing certain CLI command, which may allow a privileged attacker to read and write arbitrary files via crafted CLI commands.

The bug affects FortiOS version 6.4.0 through 6.4.11, FortiOS version 7.0.0 through 7.0.9, FortiOS version 7.2.0 through 7.2.3, and all versions of FortiOS 6.0 and 6.2. To remedy the issue users are advised to upgrade vulnerable systems to FortiOS version 6.4.12 and later, FortiOS version 7.0.10 and later, or FortiOS version 7.2.4 and higher.

The attacks were discovered when multiple FortiGate devices belonging to an unnamed customer experienced “sudden system halt and subsequent boot failure,” indicating an integrity breach.

“If an integrity breach is detected, the device will shut down and refuse to boot to protect the integrity of the network,” Fortinet explained in a security advisory.

The investigation into the matter found that the attackers modified /sbin/init file within the device’s firmware image and added a new file - /bin/fgfm. The modification to /sbin/init ensures that /bin/fgfm, which may provide an attacker with persistent access and control, runs before proceeding with regular boot-up actions.

The Fortinet investigation team believes that the affected FortiGate devices were likely compromised using access via the FortiManager device based on the fact that all affected FortiGate devices detected the attack and halted around the same time, all were compromised in the same way, and the time at which this occurred coincides with scripts being executed on the FortiGate devices via FortiManager.

Currently, it’s unclear if the threat actor behind this attack is linked to another intrusion that exploited a flaw in FortiOS SSL-VPN (CVE-2022-42475) earlier this year to deploy a Linux implant.


Back to the list

Latest Posts

Moldovan authorities arrest suspect tied to DoppelPaymer ransomware attacks

Moldovan authorities arrest suspect tied to DoppelPaymer ransomware attacks

The suspect remains in custody and is awaiting extradition to the Netherlands.
13 May 2025
North Korean TA406 hackers target Ukraine in ongoing phishing campaigns

North Korean TA406 hackers target Ukraine in ongoing phishing campaigns

The campaigns aim to harvest credentials and deliver malware, likely to gather intelligence related to the ongoing Russian invasion of Ukraine.
13 May 2025
International operation takes down Anyproxy and 5Socks botnet services

International operation takes down Anyproxy and 5Socks botnet services

In a separate action, German authorities shut down the German server infrastructure of the crypto swapping service eXch, suspected of laundering illicit funds.
13 May 2025