CVE-2022-27488

Q: What is the severity of CVE-2022-27488?

CVE-2022-27488 has a CVSS score of 8.3 (HIGH). This CSRF vulnerability allows remote unauthenticated attackers to trick authenticated administrators into executing malicious CLI commands via crafted GET requests. Affected systems include multiple Fortinet products (FortiVoiceEnterprise, FortiSwitch, FortiMail, FortiRecorder, FortiNDR) across various versions. Successful exploitation could lead to complete system compromise.

8.3 HIGH

Remote Code Execution CSRF

📋 TL;DR

This CSRF vulnerability allows remote unauthenticated attackers to trick authenticated administrators into executing malicious CLI commands via crafted GET requests. Affected systems include multiple Fortinet products (FortiVoiceEnterprise, FortiSwitch, FortiMail, FortiRecorder, FortiNDR) across various versions. Successful exploitation could lead to complete system compromise.

💻 Affected Systems

Products:

FortiVoiceEnterprise
FortiSwitch
FortiMail
FortiRecorder
FortiNDR

Versions: FortiVoiceEnterprise: 6.4.x, 6.0.x; FortiSwitch: 7.0.0-7.0.4, 6.4.0-6.4.10, 6.2.0-6.2.7, 6.0.x; FortiMail: 7.0.0-7.0.3, 6.4.0-6.4.6, 6.2.x, 6.0.x; FortiRecorder: 6.4.0-6.4.2, 6.0.x, 2.7.x, 2.6.x; FortiNDR: 1.x.x

Operating Systems: FortiOS-based systems

Default Config Vulnerable: ⚠️ Yes

Notes: Requires administrator to be authenticated and tricked into clicking malicious link while logged into vulnerable interface.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover with administrative privileges, data exfiltration, ransomware deployment, or destruction of critical infrastructure.

🟠

Likely Case

Unauthorized configuration changes, privilege escalation, installation of backdoors, or disruption of network services.

🟢

If Mitigated

Limited impact due to network segmentation, proper access controls, and administrator awareness preventing successful CSRF attacks.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires social engineering to trick authenticated administrator but technical complexity is low once malicious link is clicked.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: FortiVoiceEnterprise: 6.4.5, 6.0.8; FortiSwitch: 7.0.5, 6.4.11, 6.2.8, 6.0.14; FortiMail: 7.0.4, 6.4.7, 6.2.10, 6.0.12; FortiRecorder: 6.4.3, 6.0.9, 2.7.5, 2.6.7; FortiNDR: 1.5.0

Vendor Advisory: https://fortiguard.com/psirt/FG-IR-22-038

Restart Required: Yes

Instructions:

1. Download appropriate firmware update from Fortinet support portal. 2. Backup current configuration. 3. Apply firmware update via web interface or CLI. 4. Reboot device. 5. Verify successful update and restore functionality.

🔧 Temporary Workarounds

CSRF Token Implementation

all

Implement anti-CSRF tokens in web application forms and requests

SameSite Cookie Attribute

all

Set SameSite=Strict or Lax attributes on session cookies

🧯 If You Can't Patch

Implement network segmentation to isolate vulnerable devices from untrusted networks
Enforce strict access controls and multi-factor authentication for administrative interfaces

🔍 How to Verify

Check if Vulnerable:

Check device firmware version via web interface (System > Dashboard) or CLI command 'get system status'

Check Version:

get system status | grep Version

Verify Fix Applied:

Verify firmware version matches or exceeds patched versions listed in vendor advisory

📡 Detection & Monitoring

Log Indicators:

Unexpected CLI command execution
Administrative actions from unusual IP addresses
Multiple failed authentication attempts followed by successful login

Network Indicators:

Unusual outbound connections from management interfaces
HTTP GET requests to administrative endpoints with command parameters

SIEM Query:

source="fortinet" AND (event_type="cli_command" OR event_type="admin_action") AND (src_ip NOT IN [admin_whitelist])

📊 Metadata

CVE ID: CVE-2022-27488

CVSS v3 Score: 8.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:H

CWE: CWE-352

Published: December 13, 2023

Last Updated: November 21, 2024

🔗 References

https://fortiguard.com/psirt/FG-IR-22-038 Vendor Advisory
https://fortiguard.com/psirt/FG-IR-22-038 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Fortiai by Fortinet

Fortiai by Fortinet

Fortimail by Fortinet

Fortimail by Fortinet

Fortimail by Fortinet

Fortimail by Fortinet

Fortindr by Fortinet

Fortindr by Fortinet

Fortirecorder by Fortinet

Fortirecorder by Fortinet

Fortirecorder by Fortinet

Fortirecorder by Fortinet

Fortiswitch by Fortinet

Fortiswitch by Fortinet

Fortiswitch by Fortinet

Fortiswitch by Fortinet

Fortivoice by Fortinet

Fortivoice by Fortinet

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

CSRF Token Implementation

SameSite Cookie Attribute

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities