Fortinet Inc. today issued emergency patches for a number of its products after a severe vulnerability was discovered and exposed last week.

The vulnerability, designated CVE-2022-40684, is described by Fortinet as an authentication bypass. The bypass uses an alternate path or channel vulnerability in FortiOS, FortiProxy and FortiSwitchManager that may allow an unauthenticated attacker to perform operations on the administrative interface via a specifically crafted HTTP or HTPPS request. Fortinet noted that it’s aware of an instance where the vulnerability has been exploited.

Fortinet first let “select customers” know of the vulnerability via email last week. According to Security Week, copies of the email were shared on social media and Fortinet forums in the following days.

#Fortinet is currently advising it's customers on a high severity #vulnerability in
FortiOS: From 7.0.0 to 7.0.6 and from 7.2.0 to 7.2.1
FortiProxy: From 7.0.0 to 7.0.6 and 7.2.0#CVE: CVE-2022-40684#authbypass #RCE #prepareforimpact@campuscodi @uuallan @GossiTheDog pic.twitter.com/eiVrtsozC0

— Gitworm (@Gi7w0rm) October 7, 2022

Versions of Fortinet software that are exposed to the vulnerability are FortiOS 7.0.0 to 7.06, 7.2.0 and 7.2.1; FortiProxy 7.0.0 to 7.0.6 and 7.2.0; and FortiSwitchManager 7.0.0 and 7.2.0. FortiOS has released patched versions for FortiOS 7.0.7 and 7.2.2 and above, FortiProxy 7.0.7 and 7.2.1 and above and FortiSwitchManager 7.2.1 or above.

Along with installing patches or newer versions of the affected software, Fortinet recommends users validate their systems against the user=”Local_Process_Access” in device logs. For those unable to install a patch, at least immediately, there are other options to address the vulnerability.

The workaround options for FortiOS and FortProxy include disabling the HTTP/HTTPS administrative access or limiting IP addresses that can reach the administrative interface. For FortiSwitchManager, the only option is to disable the HTTP/HTTPS administrative access. With all options, customers can also contact Fortinet customer support for assistance.

Although Fortinet has released patches and workarounds, the risk of the vulnerability being exploited continues to grow. The Horizon3 Attack Team posted on Twitter Inc. that it’s working on a proof-of-concept exploit that it plans to release later this week.

Another appliance vuln down…

CVE-2022-40684, affecting multiple #Fortinet solutions, is an auth bypass that allows remote attackers to interact with all management API endpoints.

Blog post and POC coming later this week. Patch now. pic.twitter.com/YS7svIljAw

— Horizon3 Attack Team (@Horizon3Attack) October 10, 2022

Fortinet did not disclose how many customers may be affected. However, cyberthreat intelligence platform company Cyberthint estimates that there are more than 150,000 Fortinet devices exposed.

The vulnerability allows attackers to bypass authentication phase and operating in an unauthenticated management interface. There are more than 150,000 devices that are internet-enabled and potentially vulnerable around the world.

— Cyberthint (@cyberthint) October 7, 2022

Image: Fortinet