Fortinet Authentication Bypass Vulnerability
CVE-2022-40684

9.8CRITICAL

Key Information:

Vendor
Fortinet
Status
Fortinet FortiOS, Fortiproxy, Fortiswitchmanager
Vendor
CVE Published:
18 October 2022

Badges

💰 Ransomware👾 Exploit Exists🟡 Public PoC🟣 EPSS 97%🦅 CISA Reported

What is CVE-2022-40684?

CVE-2022-40684 is a critical vulnerability found in Fortinet's software products, specifically affecting FortiOS, FortiProxy, and FortiSwitchManager across multiple versions. This vulnerability enables an unauthenticated attacker to bypass authentication controls and carry out administrative operations via crafted HTTP or HTTPS requests. As Fortinet products are widely used for security management and network protection, this vulnerability poses a significant risk to organizations relying on their functionalities, potentially leading to unauthorized access and control over sensitive network configurations.

Technical Details

CVE-2022-40684 falls under the category of authentication bypass vulnerabilities, classified as CWE-288. This vulnerability impacts specific versions of FortiOS (7.2.0 to 7.2.1 and 7.0.0 to 7.0.6), FortiProxy (7.2.0 and 7.0.0 to 7.0.6), and FortiSwitchManager (7.2.0 and 7.0.0 to 7.0.6). The issue arises when attackers leverage alternate pathways to bypass the standard authentication process, granting them unauthorized access to the administrative interfaces of these products. Such exploitations can be executed without needing prior user credentials.

Potential Impact of CVE-2022-40684

  1. Unauthorized Administrative Access: Attackers can gain administrative privileges, enabling them to modify configurations, deploy malware, or exfiltrate sensitive data, potentially compromising the entire security infrastructure of an organization.

  2. Data Breach Risks: With administrative control, malicious actors can access and extract sensitive information, leading to data leaks that may affect customer privacy and organizational integrity.

  3. Increased Attack Surface: The vulnerability exposes organizations to further exploitation. Once inside the system, attackers could deploy additional attacks, including lateral movement, establishing footholds, or deploying ransomware, thereby exacerbating the scale of the incident.

CISA Reported

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed as being exploited and is known by the CISA as enabling ransomware campaigns.

The CISA's recommendation is: Apply updates per vendor instructions.

Affected Version(s)

Fortinet FortiOS, FortiProxy, FortiSwitchManager FortiOS 7.2.1, 7.2.0, 7.0.6, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0; FortiProxy 7.2.0, 7.0.6, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0; FortiSwitchManager 7.2.0, 7.0.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2022-40684
Created by horizon3ai

Metasploit exploit module for CVE-2022-40684
Created by Rapid7

CVE-2022-40684
Created by carlosevieira

References

https://fortiguard.com/psirt/FG-IR-22-377
http://packetstormsecurity.com/files/169431/Fortinet-Fort...
http://packetstormsecurity.com/files/171515/Fortinet-7.2....

EPSS Score

97% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • Vulnerability published

  • 💰

    Used in Ransomware

  • 👾

    Exploit known to exist

  • 🦅

    CISA Reported

  • Vulnerability Reserved

.