Update: Attackers actively exploiting recently disclosed authentication bypass vulnerability in FortiOS, FortiProxy and FortiSwitchManager

Key takeaway:  Adversaries can exploit the vulnerability remotely to gain full control of affected systems [297 words].

What: Attackers have begun actively exploiting a critical authentication bypass vulnerability (CVE-2022-40684) that Fortinet privately disclosed last week in its FortiOS, FortiProxy and FortiSwitchManager technologies.  The vulnerability allows a remote, unauthenticated attacker to gain full administrative control of affected systems via specially crafted HTTP or HTTPS requests.

Why it matters: As we previously noted here, Fortinet’s technologies are a popular target for threat actors trying to gain an initial foothold on target networks. Last year the FBI and US Cybersecurity and Infrastructure Security Agency (CISA) warned of APT groups actively targeting a set of known FortiOS vulnerabilities CVE-2018-13379CVE-2020-12812, and CVE-2019-559. In November 2021, a joint cybersecurity advisory from US, Australian and UK authorities warned of an Iranian government sponsored APT scanning devices on ports 4443, 8443, and 10443 for specific Fortinet FortiOS vulnerabilities: CVE-2018- 13379CVE-2020-12812 and CVE-2019- 5591

The details (again): Fortinet says it knows of at least one instance where attackers exploited the vulnerability in the wild. It has recommended that organizations using the affected products immediately validate their systems against the following indicator of compromise in the device’s logs: user=”Local_Process_Access”

The vulnerability exists in the following products:

FortiOS versions 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6
FortiProxy version 7.2.0 and version 7.0.0 through 7.0.6
FortiSwitchManager version 7.2.0 and 7.0.0

Organizations should update immediately to:

FortiOS version 7.2.2 or above or version 7.0.7 or above
FortiProxy version 7.2.1 or above or version 7.0.7 or above
FortiSwitchManager version 7.2.1 or above

Earlier versions of the software are not affected.

Fortinet has provided step-by-step workarounds for organizations that cannot immediately update.

Further reading

Fortinet’s advisory and workarounds