Get in Touch
Authentication bypass found in FortiOS management interface
Fortinet has released a patch for a critical vulnerability (CVE-2022-40684) in their products which is being exploited in the wild.
The bug affects the HTTP/HTTPS management interface for FortiOS FortiProxy and FortiSwitchManager.
An attacker with network level access to the management interface can bypass authentication requirements and perform administrative actions.
Check for the following string in user logs which indicates successful exploitation:
FortiOS version 7.2.0 through 7.2.1
FortiOS version 7.0.0 through 7.0.6
FortiProxy version 7.2.0
FortiProxy version 7.0.0 through 7.0.6
FortiSwitchManager version 7.2.0
FortiSwitchManager version 7.0.0
Containment, Mitigations & Remediations
Fortinet recommend an immediate update or to disable the HTTP/HTTPS management interface.
Where this is not possible, ensure the management interface is not internet-facing and restrict access to approved IPs. Further information on mitigations is provided in their advisory
Fortinet also provides a hardening guide with generic advice on securing their devices.
Indicators of Compromise
Fortinet reports “an instance” where this vulnerability was exploited in the wild.
Now that the patch has been released, it is likely that threat actors will soon be able to reverse engineer the patch to find out how the vulnerability works.
Initial discovery unknown.
Will be used by opportunistic actors.
– T1068 – Exploitation for Privilege Escalation
– T1210 – Exploitation of Remote Services
FortiOS / FortiProxy / FortiSwitchManager – Authentication bypass on administrative interface