Fortinet released security updates on March 7, 2023, to address a high-severity security vulnerability (CVE-2022-41328) in FortiOS that allowed threat actors to execute unauthorized code or commands. The vulnerability, a improper limitation of a pathname to a restricted directory vulnerability ('path traversal') [CWE-22], may allow a privileged attacker to read and write arbitrary files via crafted CLI commands. The list of affected products includes FortiOS version 6.4.0 through 6.4.11, FortiOS version 7.0.0 through 7.0.9, FortiOS version 7.2.0 through 7.2.3, and all versions of FortiOS 6.0 and 6.2.
Fortinet recently revealed that the vulnerability had been used in zero-day attacks targeting government and large organizations that have led to OS and file corruption and data loss. The attack is highly targeted, with some hints of preferred governmental or government-related targets, and requires a deep understanding of FortiOS and the underlying hardware. Custom implants show that the actor has advanced capabilities, including reverse-engineering various parts of FortiOS. As Fortinet noted, "The exploit requires a deep understanding of FortiOS and the underlying hardware. Custom implants show that the actor has advanced capabilities, including reverse-engineering various parts of FortiOS."
Fortinet customers are advised to immediately upgrade to a patched version of FortiOS to block potential attack attempts (a list of IOCs is also available here). In January, Fortinet disclosed a very similar series of incidents where a FortiOS SSL-VPN vulnerability patched in December 2022 and tracked as CVE-2022-42475 was also used as a zero-day bug to target government organizations and government-related entities.