More than 29K+ Fortinet systems in US have admin login screen exposed to the Internet—and two other updates on CVE-2022-40684

Here’s the latest on the authentication bypass flaw (CVE-2022-40684) in FortiOS, FortiProxy, and FortiSwitchManager [300 words]

As of October 13, 2022, there were 24,924 servers in the US and 196,668 units globally, that exposed the attack surface of the vulnerability— the login screen for Fortinet administrators—to the Internet. The number includes versions of Fortinet technology that are not vulnerable to the issue, the security group of Japanese technology firm Macnica said.

When researchers at the company did a Shodan search for ALL external disclosed Fortinet products—including those with exposed login screens for users—they discovered 656,720 units globally. Of those, 109,614 were in the US.


A Proof of Concept (PoC) for the vulnerability is now publicly available: Pen-testing firm on Thursday released the POC along with a detailed analysis of the bug and how it can be exploited. Security researchers who have replicated and confirmed the PoC have described it is allowing them SSH access without any interaction with vulnerable FortiOS instances.


Scanning activity targeting the flaw has ticked up considerably recently. According to IP monitoring firm GreyNoise, as of October 14, a total of 64 unique IP address have been observed attempting to exploit the flaw. The SANS Institute’s Internet Storm Center (ISC) reported observing scans targeting an old Fortigate flaw (CVE-2018-13379) following the disclosure of the new one. The ISC surmised the scans might be designed to help attackers fingerprint devices and build a list for targeting once exploit become available.  Meanwhile, at least one template for scanning the Internet for vulnerable systems is now publicly available on GitHub.


SANS ISC on recent scanning activity.

Scanning template on GitHub