CVE-2022-41328 - Path Traversal in Fortinet FortiOS—How Attackers Can Abuse the CLI to Read and Write Any File

In early 2023, Fortinet disclosed CVE-2022-41328, a dangerous path traversal vulnerability within its popular FortiOS system. A bug existed in how the CLI (Command Line Interface) restricted file paths, opening the door for attackers with administrative rights to leave the “fortified” walls—and read or overwrite nearly any file on the system.

Let’s break this down in plain English, look at why this is dangerous, show sample code and techniques for exploiting this, and point you to credible sources if you want to learn more.

What is CVE-2022-41328?

Put simply:  
It's an improper limitation of a pathname to a restricted directory ("path traversal"). Fortinet FortiOS did not sanitize paths properly—so someone with CLI access could use something like ../../../../../etc/passwd to reach files outside of the intended directory.

FortiOS before 6.4.11

> Official advisory: https://www.fortiguard.com/psirt/FG-IR-22-300

How Does Path Traversal Work?

Path traversal bugs let a bad actor use ../ or similar tricks to “climb up” a directory tree and access files they should never touch. Almost any program that deals with file paths can make this mistake.

The software thinks it’s saving a file (or reading a file) in a safe folder.

- An attacker provides an evil path like ../../../etc/shadow.

The Fortinet FortiOS CLI Vulnerability

The FortiOS CLI normally expects file paths to stay inside a certain folder (like /data/). Due to this bug, a user with higher privileges (admin / special access) can change CLI commands to escape this folder.

For example:  
A user runs a command expecting to only touch /data/config.txt,  
…but enters ../../etc/passwd instead.

Now, commands like execute backup or execute restore could manipulate files the attacker isn't supposed to even see.

Example Exploit Scenario

Let’s picture an attacker with CLI access (SSH, Web, or direct console)—they want to read /etc/passwd or drop a backdoored SSH key.

Suppose the CLI has a command like

execute backup config /data/safe/config.bak

The vulnerable code may look like this (simplified Python)

def backup_config(path):
    with open(path, "w") as f:
        f.write(config_data)

But—*there’s no check!* So the attacker does

execute backup config ../../../../etc/passwd

Which ends up running

backup_config("../../../../etc/passwd")

Yes, this will overwrite /etc/passwd or, with read commands, send system configs off the FortiGate.

Step 2: Read Sensitive Files

Want to read SSH keys, password files, or other configs?

execute restore config ../../../../root/.ssh/authorized_keys

Proof-of-Concept Code Snippet

Here’s a simple proof-of-concept using Python to show how path traversal could happen if paths go unchecked:

def cli_file_command(filename):
    full_path = "/data/" + filename  # <- dangerous concatenation
    # A safer version would use real path resolving and check path start
    with open(full_path, 'r') as f:
        print(f.read())

# Attacker input:
user_input = "../../../etc/passwd"
cli_file_command(user_input)  # This will read system password file!

Real FortiOS code is C—not Python—but the idea is the same: The system didn’t check if the filename really stayed inside /data/.

Device tampering: Modify configurations or destroy device functionality.

Note: You need CLI access—not public internet access. But, in many enterprises, admin accounts are often shared or weakly protected.

Exploit in the Wild?

This vulnerability is severe. There were reports of targeted attacks according to Fortinet’s advisory. Always patch as soon as possible.

Mitigation

- Patch immediately: See Fortinet's advisory for fixed versions.

References & More Reading

- Fortinet Advisory: https://www.fortiguard.com/psirt/FG-IR-22-300
- NIST NVD listing: https://nvd.nist.gov/vuln/detail/CVE-2022-41328
- Informative writeup by BleepingComputer

Closing Thoughts

CVE-2022-41328 is a major reminder that input validation—the “boring” work of checking file names—can make all the difference between “Forti” and “faux-security.” If you use Fortinet gear, check your patch levels *now*. If you’re building your own software, make sure untrusted file paths *never* escape their sandbox.

Stay sharp and patch early!

*Copyright © 2024—This exclusive article was created for your security research. If you want more deep dives, just ask!*

Timeline

Published on: 03/07/2023 17:15:00 UTC
Last modified on: 03/14/2023 15:20:00 UTC