- A new critical authentication bypass vulnerability affecting the web admin console for FortiOS and FortiProxy
- Threat actors can easily exploit the vulnerability with a crafted HTTP request.
- The vulnerability can be leveraged to take over the admin console.
- Access can lead to the disclosure of sensitive data
- A recent development also suggests that the vulnerability can lead to complete server compromise.
- Update to the latest versions:
- FortiOS: 7.0.7 or 7.2.2 or above
- FortiProxy: 7.0.7 or 7.2.1
- If an upgrade is not possible following the official workaround of whitelisting the IP addresses that can reach the administrative interface using a ‘local-in-policy’
- CloudSEK’s Threat Research team conducted an investigation to understand CVE-2022-40684, the latest authentication bypass vulnerability in FortiOS and FortiProxy
- An attacker can exploit this vulnerability with a crafted HTTP request to take over the administrative interfaces of these products.
- The vulnerability was disclosed in an update on 6 October 2022.
- Fortinet has publicly admitted that they have not released any advisory yet as they want to give their customers ample time to patch or implement workarounds.
- As of now, there are no publicly available exploits and no exploitation attempt has been detected.
- However, this scenario is expected to change as soon as a viable exploit is created by threat actors and security researchers.
- Threat actor groups have previously been observed attempting to exploit a variety of Fortinet vulnerabilities, including CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591.
- The following table lists the Fortinet products and their versions affected by this vulnerability.
||7.0.0 - 7.0.6 and 7.2.0 - 7.2.1
||7.0.7 or 7.2.2
||7.0.0 - 7.0.6 and 7.2.0
||7.0.7 or 7.2.1
Information from OSINT
While conducting an open source investigation the following was uncovered:
- Multiple security teams have already created a working exploit for the vulnerability.
- As mentioned in the following Tweet, one of them is going to release a detailed blog and POC later this week. Working exploits like these will aid the threat actors.
[caption id="attachment_21181" align="alignnone" width="576"]
Screenshot of Tweet mentioning the release of the exploit for CVE-2022-40684[/caption]
Information from Shodan
A simple Shodan search suggests that Fortinet is used by a large number of organizations worldwide.
[caption id="attachment_21182" align="alignnone" width="1571"]
Screenshot of Shodan search results[/caption]