The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2022-41328

CVE-2022-41328: Fortinet FortiOS Path Traversal Flaw

CVE-2022-41328 is a path traversal vulnerability in Fortinet FortiOS that enables privileged attackers to read and write files on the Linux system. This article covers technical details, affected versions, and mitigation.

Published: February 18, 2026

CVE-2022-41328 Overview

CVE-2022-41328 is a path traversal vulnerability (CWE-22) affecting Fortinet FortiOS that allows a privileged attacker to read and write arbitrary files on the underlying Linux system via crafted CLI commands. This vulnerability enables attackers with existing access to the FortiOS command-line interface to escape directory restrictions and manipulate sensitive system files, potentially leading to complete device compromise.

Critical Impact

This vulnerability is actively exploited in the wild and is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. Organizations using affected FortiOS versions should apply patches immediately as threat actors have leveraged this flaw in targeted attacks against critical infrastructure.

Affected Products

  • Fortinet FortiOS version 7.2.0 through 7.2.3
  • Fortinet FortiOS version 7.0.0 through 7.0.9
  • Fortinet FortiOS versions before 6.4.11

Discovery Timeline

  • 2023-03-07 - CVE CVE-2022-41328 published to NVD
  • 2025-10-24 - Last updated in NVD database

Technical Details for CVE-2022-41328

Vulnerability Analysis

This path traversal vulnerability exists in Fortinet FortiOS's command-line interface (CLI) command processing logic. The root issue stems from improper limitation of pathname handling that fails to adequately restrict file operations to authorized directories. When processing certain CLI commands, the FortiOS firmware does not properly sanitize user-supplied path components, allowing an authenticated attacker to traverse outside the intended directory structure.

The vulnerability requires local access with existing privileges on the FortiOS device, meaning the attacker must first obtain valid credentials or have pre-existing access to the CLI. Once access is achieved, the attacker can craft specially formatted CLI commands that include directory traversal sequences (such as ../) to escape restricted directories.

Root Cause

The vulnerability originates from improper input validation in the FortiOS CLI command parser. When the CLI processes file-related commands, it fails to properly normalize and validate path inputs before performing file operations. This allows the inclusion of relative path components that enable traversal outside the intended working directory, ultimately providing access to arbitrary locations on the underlying Linux filesystem.

Attack Vector

The attack requires local access to the FortiOS CLI with some level of authenticated privileges. An attacker exploiting this vulnerability would:

  1. Obtain authenticated access to the FortiOS command-line interface
  2. Craft malicious CLI commands containing path traversal sequences
  3. Execute these commands to read sensitive files (e.g., configuration files, certificates, credentials)
  4. Write malicious content to system files to achieve persistence or further compromise

The path traversal attack enables both read and write operations on the underlying Linux system, which could allow attackers to extract sensitive configuration data, modify system files for persistence, or plant malicious code that survives device reboots.

Detection Methods for CVE-2022-41328

Indicators of Compromise

  • Unexpected modifications to system files outside normal FortiOS operational directories
  • Suspicious CLI command history entries containing directory traversal sequences (../)
  • Unauthorized access to sensitive configuration files or certificates
  • Anomalous file access patterns in FortiOS system logs
  • Presence of unexpected files in system directories that may indicate attacker persistence mechanisms

Detection Strategies

  • Review FortiOS CLI command logs for commands containing path traversal patterns such as ../ or absolute paths to sensitive directories
  • Implement file integrity monitoring on FortiOS devices to detect unauthorized modifications to critical system files
  • Monitor for authentication events followed by unusual file access patterns that may indicate exploitation attempts
  • Deploy network detection rules to identify potential command and control traffic associated with post-exploitation activities

Monitoring Recommendations

  • Enable comprehensive logging on all FortiOS devices and forward logs to a centralized SIEM for analysis
  • Configure alerts for CLI sessions from unusual source IPs or at unusual times
  • Monitor for changes to FortiOS firmware integrity that could indicate tampering
  • Implement baseline monitoring of normal CLI command patterns to identify anomalies

How to Mitigate CVE-2022-41328

Immediate Actions Required

  • Immediately update all FortiOS devices to patched versions: FortiOS 7.2.4 or later, FortiOS 7.0.10 or later, or FortiOS 6.4.11 or later
  • Review CLI access logs for evidence of exploitation attempts
  • Restrict CLI access to only authorized administrators from known, trusted IP addresses
  • Implement multi-factor authentication for all FortiOS administrative access
  • Conduct forensic analysis of any devices suspected of compromise before returning them to production

Patch Information

Fortinet has released security patches addressing this vulnerability. Organizations should upgrade to the following fixed versions:

  • FortiOS 7.2.x: Upgrade to version 7.2.4 or later
  • FortiOS 7.0.x: Upgrade to version 7.0.10 or later
  • FortiOS 6.4.x: Upgrade to version 6.4.11 or later

Refer to the FortiGuard Security Advisory FG-IR-22-369 for complete patch information and additional guidance.

Workarounds

  • Restrict CLI access to a limited set of trusted administrators until patches can be applied
  • Implement strict network segmentation to limit access to FortiOS management interfaces
  • Use dedicated management networks that are isolated from user traffic and the internet
  • Disable unnecessary CLI features and commands where possible through FortiOS access profiles
  • Monitor all administrative access closely for suspicious activity pending patching
bash
# Example: Restrict CLI access to specific trusted hosts
config system admin
    edit "admin"
        set trusthost1 192.168.1.0 255.255.255.0
        set trusthost2 10.0.0.5 255.255.255.255
    next
end

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypePath Traversal
  • Vendor/TechFortinet Fortios
  • SeverityHIGH
  • CVSS Score7.1
  • EPSS Probability0.23%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityNone
  • CISA KEV Information
  • In CISA KEVYes
  • CWE References
  • CWE-22
  • Technical References
  • CISA Known Exploit Catalog
  • Vendor Resources
  • FortiGuard Security Advisory
  • Related CVEs
  • CVE-2021-41024: Fortinet FortiProxy Path Traversal Flaw
  • CVE-2025-25249: Fortinet FortiOS Buffer Overflow Flaw
  • CVE-2026-22153: Fortinet FortiOS Auth Bypass Vulnerability
  • CVE-2025-64157: Fortinet FortiOS RCE Vulnerability
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English