A new critical authentication bypass vulnerability has been discovered and patched by Fortinet. The vulnerability is being tracked as CVE-2022-40684 and has a CVSS base score of 9.6! Customers have been informed to update as soon as possible to the FortiOS/FortiProxy versions 7.0.7 or 7.2.2.
CVE-2022-40684 impacts all Fortinet devices running FortiOS 7.0.0 - 7.0.6 and from 7.2.0 - 7.2.1. Additionally, all FortiProxy devices running firmware version 7.0.0 - 7.0.6 and 7.2.0 are also vulnerable.
In a customer support bulletin, Fortinet describes the vulnerability as follows: "An authentication bypass using an alternate path or channel [CWE-88] in FortiOS and FortiProxy may allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests,".
The high CVSS score of 9.6 isn't a coincidence since the vulnerability can be exploited on all devices with the affected firmware version that are open to HTTP or HTTPS requests which easily is above 100k devices if a quick shodan search is to be believed.
Protect Vulnerable Fortinet Devices
To prevent remote attackers from exploiting the vulnerability, it is highly recommended that you limit the IP addresses that can reach the administrative interface using a local-in-policy if you cannot update right away. Fortinet has also shared some mitigation advice for admins who are not able to update immediately: "If these devices cannot be updated in a timely manner, internet-facing HTTPS Administration should be immediately disabled until the upgrade can be performed,".
Discover Vulnerable Fortinet Devices
To find any Fortinet devices in your network that may be vulnerable to CVE-2022-40684, our team at Lansweeper has created a special report. This way you have an actionable list of devices that might require your intervention and that will need to be updated.