Alleged Chinese Threat Actors Developing Fortinet Zero-Day Exploit for New “BOLDMOVE” Malware Campaign Targeting European and African Organizations

Mandiant reported preparations for a campaign leveraging CVE-2022-42475, a vulnerability in Fortinet's FortiOS SSL-VPN, to target organizations in Europe and Africa with a new malware dubbed “BOLDMOVE.”
zero day image


On January 19, 2023, Mandiant security researchers published the technical details of malware campaign preparations they’ve reportedly observed since October 2022.

Two key points should be noted regarding Mandiant’s assessment:

  1. Mandiant has not directly observed exploitation of the vulnerability, or deployment of BOLDMOVE in the wild.
  2. Mandiant researchers assess with low confidence that the campaign is related to an unspecified Chinese cyber espionage group based on: timing of development, characters in host survey buffers, and the common tactic of exploiting zero-days in network devices.

Technical Details

According to the National Vulnerability Database from NIST, CVE-2022-42475 has a severity score of 9.8 CRITICAL and is “A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11, 6.0.15 and earlier and FortiProxy SSL-VPN 7.2.0 through 7.2.1, 7.0.7 and earlier may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.”

According to Mandiant researchers, the campaign delivered a new backdoor malware they named “BOLDMOVE.” Mandiant identified both Linux and Windows variants of BOLDMOVE but has not observed the malware in the wild.


Mandiant researchers provided the following indicators of compromise (IOCs):

12e28c14bb7f7b9513a02e5857592ad7MD5Basic BOLDMOVE


3191cb2e06e9a30792309813793f78b6MD5Extended BOLDMOVE


54bbea35b095ddfe9740df97b693627bMD5Windows version of BOLDMOVE
SHA256Windows version of BOLDMOVE

More Recent Blog Posts