CVE-2022-41335 - Fortinet FortiOS Path Traversal Flaw—How Attackers Steal Your Files

In late 2022, Fortinet, a leading cybersecurity company, disclosed a serious vulnerability: CVE-2022-41335. The flaw affects many versions of FortiOS, FortiProxy, and FortiSwitchManager, exposing critical enterprise networks to risks of sensitive data leaks.

This writeup breaks down what CVE-2022-41335 is, how attackers exploit it, and what you should do about it––all in straightforward language.

What Is CVE-2022-41335?

CVE-2022-41335 is a *relative path traversal* bug classified under CWE-23. It happens when software does not properly sanitize user input in file paths, enabling an attacker to manipulate paths and access files outside the intended directory.

FortiSwitchManager: 7.2. and all versions before 7..

Read Fortinet's official advisory for complete details.

The Core Problem

Normally, when you request a file from a system, the code should only allow access to files in *approved* folders. Path traversal attacks use sequences like ../ (dot-dot-slash) to "traverse" up the directory tree and escape restrictions.

If you’re allowed to download /user/profile/picture.jpg, but the system does not check or sanitize your file path parameter, you might request something like /user/profile/../../../etc/passwd. The server would then return the contents of /etc/passwd – a critical Linux system file.

The Vulnerable Mechanism

In these Fortinet products, some HTTP endpoints accept file path parameters from clients (the user's web browser or scripts), with inadequate checks on what paths are allowed. Because authentication is required, this exploit is considered authenticated—attackers need at least a valid user login.

Authenticate to the web interface.

2. Craft a malicious HTTP request (like a POST or GET) that includes a path parameter such as ../../../../etc/passwd.
3. Send the request. If unpatched, the server will process the path and return or overwrite files from anywhere on its file system.

Real Example HTTP Request

Below is a simplified example of exploiting path traversal in an HTTP API call (for illustration only):

POST /api/v2/file/download HTTP/1.1
Host: fortigate.example.com
Cookie: APSCOOKIE=your_session_cookie
Content-Type: application/json

{
  "file_path": "../../../../etc/passwd"
}

If the device is unpatched, you might get the full contents of /etc/passwd in your response!

Important: The actual endpoint names, cookies, and parameters may differ—always refer to real logs or Fortinet documentation for specifics.

Here’s a pseudocode example of what a vulnerable handler might look like in Python style

@app.route('/api/file/download', methods=['POST'])
def download_file():
    file_path = request.json['file_path']  # Attacker input
    with open('/user/profiles/' + file_path, 'rb') as f:
        return f.read()

If file_path is ../../../../etc/passwd, the server opens the intended file in a *parent* directory.

Proof-of-Concept (PoC)

While there is no public "one-click" exploit for this CVE (responsible disclosure), you can test for the bug like so (after authenticating):

curl -X POST "https://[your_fortinet]/api/v2/file/download"; \
  -H "Content-Type: application/json" \
  -H "Cookie: APSCOOKIE=[SESSION]" \
  -d '{"file_path": "../../../../etc/passwd"}'

Replace [your_fortinet] and [SESSION] with your target info.

If you retrieve contents of system files unexpectedly, the device is likely vulnerable.

Read Confidential Files: Attackers grab sensitive configs, credentials, and more.

- Write Arbitrary Files: Attackers may modify files, possibly enabling persistence or further exploit.

How to Stay Safe

- Patch ASAP: Upgrade to fixed versions released by Fortinet. Patches are available for all major branches.

Limit Web Management Exposure: Never expose web management interfaces to the public internet!

Find Fortinet’s official update info here.

References & Further Reading

- CVE Details: https://nvd.nist.gov/vuln/detail/CVE-2022-41335
- FortiGuard Advisory: https://www.fortiguard.com/psirt/FG-IR-22-359
- Path Traversal (CWE-23): https://cwe.mitre.org/data/definitions/23.html


In summary: CVE-2022-41335 is a powerful but sometimes overlooked flaw that lets an attacker with an account break through directory boundaries and grab or manipulate files they should never access. If you’re running any affected Fortinet gear—patch right away!

Timeline

Published on: 02/16/2023 19:15:00 UTC
Last modified on: 02/27/2023 18:04:00 UTC