CVE-2022-40684

Name of the Vulnerable Software and Affected Versions Fortinet FortiOS versions 7.0.0 through 7.2.1 Fortinet FortiProxy versions 7.0.0 through 7.2.0 Fortinet FortiSwitchManager versions 7.0.0 and 7.2.0

Description An authentication bypass vulnerability exists in Fortinet FortiOS, FortiProxy, and FortiSwitchManager. This flaw allows an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests. Exploitation of this issue has been observed, with reports of attackers downloading configuration files and adding malicious administrator accounts. Approximately 160,000 devices are estimated to be potentially vulnerable. Recent data breaches have exposed sensitive information, including usernames, passwords, device management certificates, and firewall rules, from over 15,000 FortiGate devices. The vulnerability allows attackers to bypass authentication and potentially gain full administrative access. The Local Process Access indicator in device logs can signal exploitation attempts. The vulnerability can be exploited via the /api/v1/login endpoint, potentially manipulating the username, profname, vdom, and loginname variables.

Recommendations FortiOS versions 7.0.0 through 7.2.1: Disable the HTTP/HTTPS administrative interface or limit IP addresses that can reach the administrative interface. FortiProxy versions 7.0.0 through 7.2.0: Disable the HTTP/HTTPS administrative interface or, for FortiProxy VM all versions and FortiProxy appliance 7.0.6, limit IP addresses that can reach the administrative interface. FortiSwitchManager versions 7.0.0 and 7.2.0: Disable the HTTP/HTTPS administrative interface.