Fortinet has released emergency security patches for the CVE‑2022‑40684 vulnerability on FortiGate firewall devices

The security vulnerability (CVE‑2022‑40684) is an authentication bypass method on the management interface that allows remote threat actors to log into FortiGate firewalls, FortiProxy, and FortiSwitch Manager (FSWM).

In an advisory issued the same day, Fortinet stated: “An authentication bypass using an alternate channel or path vulnerability [CWE‑288] in FortiOS, FortiProxy, and FortiSwitchManager may allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.”

Fortinet released a security update to address this issue the following day. A Fortinet spokesperson declined to comment when asked whether the vulnerability was being actively exploited.

Several days later, Fortinet finally acknowledged that they were aware of at least one attack in which CVE‑2022‑40684 had been exploited. The company stated: “Fortinet is aware of an instance where this vulnerability was exploited and recommends immediately validating your systems for intrusion indicators in the device logs: user = ‘Local_Process_Access’.”

The following versions are affected by this critical vulnerability:

• FortiOS versions 7.2.0, 7.2.1
• FortiOS versions 7.0.0 through 7.0.6
• FortiProxy version 7.2.0
• FortiProxy versions 7.0.0 through 7.0.6
• FortiSwitchManager versions 7.0.0, 7.2.0

Fortinet has released security patches and urges customers to update vulnerable devices to FortiOS 7.0.7 or 7.2.2 or later, FortiProxy 7.0.7 or 7.2.1 or later, and FortiSwitchManager 7.2.1 or later to protect their systems from attacks.

Security researchers from the Horizon3 team have developed exploit code and conducted proof‑of‑concept exploitation of this critical vulnerability.

Fortinet also advised customers on how to block attacks when immediate deployment of security updates is not possible. Administrators should disable the HTTP/HTTPS management interface or restrict the IP addresses that can access the management interface by using firewall policies.

(Refer to the guidance here: https://www.fortiguard.com/psirt/FG-IR-22-377)

Therefore, NSV recommends that customers using FortiGate firewalls upgrade to version 7.0.7 or 7.2.2 or later to prevent external attacks that could impact production operations.