Login Sign Up

CVE-2022-41327

7.8 HIGH

📋 TL;DR

This vulnerability allows authenticated attackers with readonly superadmin privileges in Fortinet FortiOS and FortiProxy to intercept cleartext traffic and obtain other administrators' session cookies via diagnose CLI commands. This affects FortiOS versions 7.2.0-7.2.4 and 7.0.0-7.0.8, and FortiProxy versions 7.2.0-7.2.1 and 7.0.0-7.0.8.

💻 Affected Systems

Products:
  • Fortinet FortiOS
  • Fortinet FortiProxy
Versions: FortiOS 7.2.0-7.2.4, 7.0.0-7.0.8; FortiProxy 7.2.0-7.2.1, 7.0.0-7.0.8
Operating Systems: FortiOS, FortiProxy OS
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated attacker with readonly superadmin privileges; affects both management interfaces and CLI access.

📦 What is this software?

Fortios by Fortinet

View all CVEs affecting Fortios →

Fortios by Fortinet

View all CVEs affecting Fortios →

Fortiproxy by Fortinet

View all CVEs affecting Fortiproxy →

Fortiproxy by Fortinet

View all CVEs affecting Fortiproxy →

Fortiproxy by Fortinet

View all CVEs affecting Fortiproxy →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could hijack administrator sessions, gain full administrative access, and potentially compromise the entire network infrastructure.

🟠

Likely Case

Attackers with existing readonly superadmin access could escalate privileges to full administrative control by stealing session cookies.

🟢

If Mitigated

With proper network segmentation and monitoring, impact would be limited to the affected administrative interface with no lateral movement.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires existing readonly superadmin credentials; uses built-in diagnose CLI commands.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: FortiOS 7.2.5, 7.0.9; FortiProxy 7.2.2, 7.0.9

Vendor Advisory: https://fortiguard.com/psirt/FG-IR-22-380

Restart Required: Yes

Instructions:

1. Download latest firmware from Fortinet support portal. 2. Backup configuration. 3. Upload firmware via GUI or CLI. 4. Reboot device. 5. Verify version after reboot.

🔧 Temporary Workarounds

Restrict CLI Access

all

Limit diagnose CLI command access to only necessary administrators.

config system admin
edit <admin_user>
set accprofile "prof_admin"
end

Network Segmentation

all

Isolate management interfaces from general network access.

🧯 If You Can't Patch

  • Implement strict network segmentation for management interfaces
  • Monitor and audit all CLI diagnostic command usage by readonly superadmin accounts

🔍 How to Verify

Check if Vulnerable:

Check FortiOS/FortiProxy version via CLI: get system status | grep Version

Check Version:

get system status | grep Version

Verify Fix Applied:

Verify version is 7.2.5/7.0.9 or higher for FortiOS, or 7.2.2/7.0.9 or higher for FortiProxy

📡 Detection & Monitoring

Log Indicators:

  • Unusual diagnose CLI command usage by readonly superadmin accounts
  • Multiple administrator session creations from same source

Network Indicators:

  • Cleartext traffic containing session cookies on management interfaces
  • Unexpected traffic interception patterns

SIEM Query:

source="fortigate" AND (command="diagnose" OR "cookie" OR "session")

📊 Metadata

CVE ID: CVE-2022-41327
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-319
Published: June 13, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-41327, you might also want to check these:

CVE-2023-33730 9.8

CVE-2023-33730 is a critical privilege escalation vulnerability in Microworld Technologies eScan Man...

Same vulnerability type (CWE-319)
CVE-2022-21829 9.8

This vulnerability in Concrete CMS allows authenticated high-privilege users to download zip files o...

Same vulnerability type (CWE-319)
CVE-2020-5426 9.8

CVE-2020-5426 allows attackers to intercept UAA client tokens transmitted in plaintext over non-TLS ...

Same vulnerability type (CWE-319)