CVE-2022-38372 - Undocumented Root Shell Command in FortiTester CLI – What You Need to Know

If you’re a network admin or just curious about cybersecurity, you should know about CVE-2022-38372: a pretty severe vulnerability that gave privileged users a way to get full root access on a range of FortiTester devices. This wasn’t a typical bug—there was actually a secret command hiding in the device’s CLI, letting someone pop a root shell with almost no effort. If you use FortiTester in your environment or want to understand hidden functionality [CWE-1242], this post will break it down in simple terms.

What is FortiTester?

FortiTester is a popular network testing tool from Fortinet designed for simulating and analyzing network traffic, often used in enterprise environments. Like other devices from Fortinet, it’s widely trusted for securing and assessing critical networks.

7.. through 7.1.

At its core, this is a “hidden functionality” issue (CWE-1242). Basically, the FortiTester CLI included an undocumented command—one you wouldn’t find in the manuals or normal help pages. If you knew about it and had privileged (admin) access, you could use the CLI to get a root shell. This means you could do literally anything on the device.

Why is This Dangerous?

Root access means total control. Even though you need to be a “privileged local user”—so not just anyone on the network—once you’re in you can:

Access all data, logs, and traffic captured

For security professionals and attackers alike, this is a gold mine. It also bypasses many existing controls, like the normal FortiTester permission checks.

How the Exploit Works

Let’s walk through how someone might actually use this vulnerability. First, you need to be logged into the FortiTester CLI as a privileged user (like admin). Then, you simply enter the undocumented command—usually not listed anywhere except in the program’s source code or by reverse engineering the firmware.

Example Exploit Steps

Suppose the secret root shell command is startroot (note: this is a placeholder – the real command is not publicly documented as a responsible disclosure practice):

# Log into the FortiTester CLI with your admin account
ssh admin@fortitester-device

# At the CLI prompt, enter the secret command:
startroot

# You have a root shell now!
whoami
root

That’s it—the device gives you full root access with no extra checks.

The trickiest part for most attackers is figuring out what command to use. Researchers often

1. Extract and analyze firmware: Download update files or dump the device’s memory, and look for strings or functions that execute shells.
2. Run strings or similar tools: These tools find human-readable text, including possible hidden CLI commands.

Here’s a basic way you could look for commands if you had the firmware

$ strings fortitester_cli_binary | grep -i shell
# Output might reveal something suspicious like "startroot" or "openshell"

This isn’t just theory—security researchers do this all the time to find hidden backdoors or functionality.

References

- Original Fortinet Advisory
- CVE-2022-38372 at NVD
- CWE-1242: Inclusion of Undocumented Features or Functionality

Final Thoughts

CVE-2022-38372 shows just how risky undocumented or hidden features can be. If vendors tuck away secret commands—even for “debugging” or “support”—they become major targets once someone stumbles on them.

Always keep devices patched, limit admin logins, and stay alert to advisories like this one. If you’re an admin or researcher, now you know what to look for—because with security, it’s usually what you *don’t* see that gets you.

Stay safe and keep your hardware updated!

If you want to deep dive more, check out the official Fortinet advisory.

Timeline

Published on: 11/02/2022 12:15:00 UTC
Last modified on: 11/04/2022 03:26:00 UTC