On 9 March 2023 Fortinet released an analysis detailing the initial investigation that led to the discovery of CVE-2022-41328. This is unrelated to the CVE that was announced earlier this month (CVE-2023-25610), but was addressed in the same update cycle which addressed that vulnerability. The investigation indicates that the attacks were targeted towards government organizations. Specifically, the threat actor used the ability to read and write arbitrary files to modify the firmware in order to establish persistence, command and control, and exfiltration activities. The attack was discovered after several FortiGate devices crashed and failed to boot.
As always, companies should patch as soon as their vulnerability management process allows. Additionally, this is a reminder that the true criticality of a CVE is dependent on multiple factors, and depending on an organization’s specific environment, threat model, and attack surface area the vulnerability may be more relevant or dangerous than the assigned CVSS score. For detection, companies may be able to leverage netflow data compared against a baseline of normal netflow to identify abnormal activity. Additionally, a robust change control procedure enables detection of unexpected and unauthorized changes to firmware and system-critical files by having an accurate record of when authorized changes occurred to compare against.