Fortinet Bug exploited in Wild ! Again a Warning

Fortinet is urging its customers to patch a critical authentication bypass vulnerability that has already been exploited in the wild.

Earlier this month,  it has patched the bug, CVE-2022-40684, found in its FortiOS network operating system, FortiProxy secure web proxy, and FortiSwitchManager management platform projects.

The vulnerability allows an unauthenticated attacker to add an SSH key to the admin user, enabling potential miscreants to hack the administrative interface using specially crafted HTTP or HTTPS requests.

The issue affects FortiOS versions from 7.0.0 to 7.0.6 and from 7.2.0 to 7.2.1, FortiProxy versions from 7.0.0 to 7.0.6 and 7.2.0, and FortiSwitchManager versions 7.0.0 and 7.2.0.

Customers were notified via email and advised to update vulnerable devices to FortiOS 7.0.7 or 7.2.2 and above, FortiProxy 7.0.7 or 7.2.1 and above, and FortiSwitchManager 7.2.1 or above earlier this month. Those that can’t, said Fortinet, should immediately disable internet-facing HTTPS Administration interfaces.

Meanwhile, researchers warned that attackers are scanning for and attempting to exploit the vulnerability in the wild. The Iranian cybercriminals appear to be colluding with Chinese groups and Russian cybercriminals as part of the campaign, with the aim of supporting Russia’s offensive in Ukraine.

In response to the detection of attacks in the wild, Fortinet issued a further advisory, stressing the increased seriousness of the situation.

Fortinet is aware of instances where this vulnerability was exploited to download the config file from the targeted devices, and to add a malicious super_admin account called ‘fortigate-tech-support’. It appeared that many affected organizations had still failed to patch their systems, leading to yet another warning from Fortinet.