A critical authentication bypass vulnerability affecting multiple Fortinet services has been exploited at least once in the wild, according to a security advisory published Monday.
The Fortinet vulnerability, CVE-2022-40684, became public on Oct. 7 when the network security vendor sent an alert to customers warning of the flaw, according to a report from Bleeping Computer. This was followed by a public security advisory published Monday by Fortinet.
CVE-2022-40684 is an authentication bypass vulnerability in Fortinet hardware operating system FortiOS, secure web proxy FortiProxy and ethernet switch management tool FortiSwitch Manager. According to the advisory, the critical flaw "may allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests."
In addition, the advisory noted that Fortinet "is aware of an instance" where CVE-2022-40684 was exploited. TechTarget Editorial requested additional information regarding the exploitation, but Fortinet has not responded at press time.
Affected versions include the following:
- FortiOS: 7.2.1, 7.2.0, 7.0.6, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1 and 7.0.0
- FortiProxy: 7.2.0, 7.0.6, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1 and 7.0.0
- FortiSwitch Manager: 7.2.0 and 7.0.0
#Fortinet is currently advising it's customers on a high severity #vulnerability in— Gitworm (@Gi7w0rm) October 7, 2022
FortiOS: From 7.0.0 to 7.0.6 and from 7.2.0 to 7.2.1
FortiProxy: From 7.0.0 to 7.0.6 and 7.2.0#CVE: CVE-2022-40684#authbypass #RCE #prepareforimpact@campuscodi @uuallan @GossiTheDog pic.twitter.com/eiVrtsozC0
Patches for all three services are available now alongside a series of workarounds. The workarounds for FortiOS and FortiProxy involve disabling the HTTP/HTTPS administrative interface or limiting the IP addresses that can reach the administrative interface. Only the former workaround is offered in the case of FortiSwitch Manager.
CVE-2022-40684 is not the only major vulnerability that has affected Fortinet in recent memory. Last year, a FortiGate VPN vulnerability patched in 2019 was exploited by Cring ransomware operators to extort bitcoin from enterprises.
Alexander Culafi is a writer, journalist and podcaster based in Boston.