Critical Vulnerability in Fortinet Products

Published on 10 Oct 2022

Updated on 17 Oct 2022

Fortinet has released security updates to address a critical vulnerability (CVE-2022-40684) in FortiOS, FortiProxy and FortiSwitchManager.

Successful exploitation of the vulnerability could allow a remote, unauthenticated attacker to perform operations on the administrative interface to bypass authentication via specially crafted HTTP or HTTPS requests. This vulnerability is reportedly being actively exploited.

The vulnerability affects the following products:
• FortiOS versions 7.2.0 to 7.2.1, and 7.0.0 to 7.0.6
• FortiProxy versions 7.0.0 to 7.0.6, and 7.2.0
• FortiSwitchManager versions 7.0.0 and 7.2.0

Administrators and users of affected products are advised to upgrade to the latest versions immediately.

More information is available here:

https://www.fortiguard.com/psirt/FG-IR-22-377

https://docs.fortinet.com/document/fortigate/7.0.7/fortios-release-notes/289806/resolved-issues

https://www.bleepingcomputer.com/news/security/fortinet-warns-admins-to-patch-critical-auth-bypass-bug-immediately/