Skip to main content
Cyber advisory graphic feature
18 October, 2022

AARNet SOC Detection and Monitoring of CVE-2022-40684

Fortinet have identified a critical authentication bypass vulnerability on the administrative interface in their products running FortiOS, FortiProxy and FortiSwitch Manager allowing for an attacker to perform unauthorised operations or execution of commands.


CVE-2022-40684 allows for unauthorised execution of commands in Fortinet producs running FortiOS (FortiGate firewalls), FortiProxy (web proxies) and FortiSwitch Manager.

Affected versions include:

  • FortiOS: 7.2.1, 7.2.0, 7.0.6, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0
  • FortiProxy: 7.2.0, 7.0.6, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0
  • FortiSwitch Manager: 7.2.0, 7.0.0

An authentication bypass using an alternate path or channel vulnerability [CWE-288] in FortiOS, FortiProxy and FortiSwitchManager may allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests. The exploit can be used with any HTTP method (GET, POST, PUT, DELETE, etc). Additionally, the REST API request failing is not an indication that an attacker was unsuccessful.

There are working POCs in the wild for this vulnerability.

The vulnerability has been patched in the following versions of the affected products:

  • FortiOS: 7.2.3, 7.0.7
  • FortiProxy: 7.2.1, 7.0.7
  • FortiSwitch Manager: 7.2.1

Signatures and IOCs


If REST API for the affected device is enabled, it is recommended to check device logs for:

  • user=”Local_Process_Access”
  • user_interface=”Node.js”
  • user_interface=”Report Runner”

Note: a system configured for production use may produce logs that match these IOCs naturally. However, we would not expect these IOCs to match with URLs targeting sensitive REST API endpoints.


Workaround 1: Disable Interface

Disable HTTP/HTTPS administrative interface

Workaround 2: Privileged Access to Interface

Limit IP addresses that can reach the administrative interface:

config firewall address
edit "my_allowed_addresses"
set subnet <MY IP> <MY SUBNET>
Then create an Address Group:
config firewall addrgrp
edit "MGMT_IPs"
set member "my_allowed_addresses"

Workaround 3: Security Policy for Interface

Create the Local in Policy to restrict access only to the predefined group on management interface (here: port1):

config firewall local-in-policy
edit 1
set intf port1
set srcaddr "MGMT_IPs"
set dstaddr "all"
set action accept
set service HTTPS HTTP
set schedule "always"
set status enable
edit 2
set intf "any"
set srcaddr "all"
set dstaddr "all"
set action deny
set service HTTPS HTTP
set schedule "always"
set status enable

Proof of Concept