Fortinet warns admins to patch critical auth bypass bug immediately

Fortinet has warned administrators to update FortiGate firewalls, FortiProxy web proxies, and FortiSwitch Manager (FSWM) on-premise management platforms to the latest versions, which address a critical severity vulnerability.

The security flaw (tracked as CVE-2022-40684) is an authentication bypass on the administrative interface that could allow remote threat actors to log into unpatched devices.

"An authentication bypass using an alternate path or channel [CWE-88] in FortiOS and FortiProxy may allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests," Fortinet explains in a customer support bulletin issued today.

"This is a critical vulnerability and should be dealt with the utmost urgency," the company adds.


Fortinet has also emailed customers and advised them to update to the latest available versions immediately.

"Due to the ability to exploit this issue remotely, Fortinet is strongly recommending all customers with the vulnerable versions to perform an immediate upgrade," the company warned.

According to a Shodan search, more than 100,000 FortiGate firewalls are reachable from the Internet, although it's unknown if their management interfaces are also exposed.

The complete list of products vulnerable to attacks attempting to exploit the CVE-2022-40 flaw includes:

  • FortiOS: From 7.0.0 to 7.0.6 and from 7.2.0 to 7.2.1
  • FortiProxy: From 7.0.0 to 7.0.6 and 7.2.0
  • FortiSwitchManager: Versions 7.0.0 and 7.2.0

Per today's customer support bulletin, Fortinet released security patches on Thursday, asking customers to update vulnerable devices to FortiOS 7.0.7 or 7.2.2 and above, FortiProxy 7.0.7 or 7.2.1 and above, and FortiSwitchManager 7.2.1 or above.

Workaround available until deploying patches

The company also provides a workaround for those who can't immediately deploy security updates.

To block remote attackers from bypassing authentication and logging into vulnerable FortiGate and FortiProxy deployments, customers should limit the IP addresses that can reach the administrative interface using a local-in-policy.

Detailed information on how to disable the vulnerable HTTP/HTTPS administrative interface for FortiOS, FortiProxy, and FortiSwitchManager can be found in this Fortinet PSIRT advisory published Monday, October 10.

However, as revealed in an advanced communication to "selected customers," Fortinet advises admins to disable remote management user interfaces to ensure that potential attacks are blocked.

"If these devices cannot be updated in a timely manner, internet facing HTTPS Administration should be immediately disabled until the upgrade can be performed," Fortinet said.

A Fortinet spokesperson refused to comment when asked if the vulnerability is actively exploited in the wild and hinted that the company would share more information in the coming days.

"Customer communications often detail the most up-to-date guidance and recommended next steps to best protect and secure their organization," the Fortinet spokesperson said.

"There are instances where confidential advance customer communications can include early warning on Advisories to enable customers to further strengthen their security posture, which then will be publicly released in the coming days to a broader audience."