Attackers are abusing a critical authentication bypass vulnerability, tracked as CVE-2022-40684, with a CVSS score of 9.6, in multiple versions of Fortinet Products, including FortiOS, FortiProxy, and FortiSwitchManager.
Latest findings
According to Cyble researchers, the vulnerability affects FortiOS version 7.2.0 through 7.2.1, FortiOS version 7.0.0 through 7.0.6, FortiProxy version 7.2.0, FortiProxy version 7.0.0 through 7.0.6, FortiSwitchManager version 7.2.0, and FortiSwitchManager version 7.0.0.
By abusing the vulnerability, an attacker can modify the admin SSH keys to log in to the compromised system, add new local users, update networking configurations to reroute traffic, and download the system configuration.
Further, the vulnerability allows an unauthenticated attacker to gain complete access to the targeted system, perform operations on the administrative interface via specially crafted HTTP or HTTPS requests, and interact with all management API endpoints.
With the foothold and knowledge, the attacker could launch other attacks against the rest of the IT environment.
Vulnerability timeline
In early October, Fortinet disclosed the vulnerability and urged customers to immediately perform a software upgrade. Later, it issued an email notification to the selected customers providing a confidential warning, along with mitigation advice.
In mid-October, the CISA added the vulnerability to its Known Exploited Vulnerabilities Catalog. Several technical blogs and POCs were released in the public domain and active exploitation started after the attacks escalated.
Additional insights
Researchers found that there are over a hundred thousand FortiGate firewalls exposed over the internet that are likely under the scope of attackers and are exposed to the vulnerability.
Moreover, FortiOS access for several private-public entities has been distributed over Russian Cybercrime forums since October.
Conclusion
The newly disclosed vulnerability significantly impacts the security posture of the organization using these products. Attackers are trying to utilize the knowledge about known exploits to cause monetary, financial, and reputational loss to organizations. Therefore, organizations are advised to immediately update the affected products with the latest patch released by the official vendor, implement proper network segmentation and access controls, and implement secure backups to safeguard critical assets.