Pierluigi Paganini October 18, 2022

Fortinet confirmed that many systems are still vulnerable to attacks exploiting the CVE-2022-40684 zero-day vulnerability.

Fortinet is urging customers to address the recently discovered CVE-2022-40684 zero-day vulnerability. Unfortunately, the number of devices that have yet to be patched is still high.

“After multiple notifications from Fortinet over the past week, there are still a significant number of devices that require mitigation, and following the publication by an outside party of POC code, there is active exploitation of this vulnerability. Based on this development, Fortinet again recommends customers and partners take urgent and immediate action as described in the public Advisory.” reads the advisory published by the company.

A couple of weeks ago, the security vendor addressed the critical authentication bypass flaw that impacted FortiGate firewalls and FortiProxy web proxies.

An attacker can exploit the vulnerability to log into vulnerable devices.

“An authentication bypass using an alternate path or channel [CWE-88] in FortiOS and FortiProxy may allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests,” reads the advisory issued by the company PSIRT.

The company urges customers of addressing this critical vulnerability immediately due to the risk of remote exploitation of the flaw.

The vulnerability impacts FortiOS versions from 7.0.0 to 7.0.6 and from 7.2.0 to 7.2.1. FortiProxy versions from 7.0.0 to 7.0.6 and 7.2.0 are also impacted.

The cybersecurity firm addressed the vulnerability with the release of FortiOS/FortiProxy versions 7.0.7 or 7.2.2. The company also provided a workaround for those who can’t immediately deploy security updates.

Customers that are not able to upgrade their systems should Disable HTTP/HTTPS administrative interface or Limit IP addresses that can reach it.

Today the company confirmed today the critical authentication bypass vulnerability is being exploited in the wild.

“Fortinet is aware of an instance where this vulnerability was exploited, and recommends immediately validating your systems against the following indicator of compromise in the device’s logs: user=”Local_Process_Access”” continues the advisory.

A proof-of-concept (PoC) exploit code for the CVE-2022-40684 flaw has been released online. The public availability of the PoC exploit code can fuel a wave of attacks targeting Fortinet devices.

Security firms are warning that threat actors are already actively exploiting the issue in the wild, Threat intelligence firm GreyNoise reported attacks attempting to exploit the issue. The attacks originated from hundreds of unique IP addresses, most of them located in the US, China, and Germany.

Horizin3 experts who released the PoC exploit code pointed out that there are other ways to trigger this vulnerability and there may be other sets of conditions that work. This means that threat actors could develop their own exploit and use it in attacks in the wild, for this reason, it is essential to address the flaw immediately.

The Shadowserver Foundation reported that more than 17K Fortinet devices exposed online are vulnerable to attacks exploiting the CVE-2022-40684 flaw, most of them in Germany and in the US.

Users can track CVE-2022-40684 exploitation activity on the Dashboard provided by the organization.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2022-40684)

[adrotate banner=”5″]

[adrotate banner=”13″]