Fortinet’s FortiOS, FortiProxy, and FortiSwitchManager products have a significant vulnerability called CVE-2022-40684 that enables remote, unauthenticated attackers to obtain complete administrative access through carefully constructed HTTP/S requests. This vulnerability impacts versions such as FortiOS 7.0.0–7.0.6 and 7.2.0–7.2.1, and it is actively abused in the wild. Fortinet strongly advises upgrading to versions 7.0.7 or 7.2.2 right away. These gadgets are high-value targets since they are usually internet-facing. If proper logging is not in place, organizations should implement MFA, restrict public access to admin interfaces, look for the “Local_Process_Access” flag in logs, and assume a breach.

Technical Description

CVE-2022-40684 is a critical authentication bypass vulnerability in Fortinet’s FortiOS, FortiProxy, and FortiSwitchManager. It allows remote, unauthenticated attackers to acquire complete administrative access by sending carefully crafted HTTP/S requests. The bug takes advantage of confidence in internal API calls by faking headers such as User-Agent: Report Runner and Forwarded: for=127.0.0.1, deceiving the system into treating the request as local. Successful exploitation gives attackers full access to the REST API, allowing them to download configurations, create users, upload SSH keys, and change rules without triggering conventional login events. Logging is limited – REST API logging is frequently turned off by default, and many actions may go unreported. Detection is based on identifying log items like user=Local_Process_Access and illicit configuration downloads. Organizations should upgrade to FortiOS 7.0.7 or 7.2.2, limit public admin access, enable logging, validate configurations, and presume a breach if visibility is insufficient.

Malicious activity has been seen in areas such as establishing local users, altering account attributes, uploading SSH public keys to administrative accounts (persistence without changing passwords), downloading the entire device configuration (exposing password hashes, account names, network, and VPN configuration), and establishing or adjusting policies and VPN profiles to allow lateral access.

Exploitation Demonstration:

• Initally, attackers scanned for Fortinet administration endpoints that were accessible from the internet.
• Then to obtain administrator access, attackers used spoof request indications to trigger the device’s internal API trust checks
• Once compromised, the attackers downloaded configurations and counted accounts via admin API endpoints
• In order to get persistent access, the attackers created local admin users or uploaded SSH public keys to administrative accounts.
• Further, to get access to internal systems, attackers changed firewall settings or VPN profiles.

Ease of Exploitation:

The exploitation of CVE‑2022‑40684 is comparatively easy for attackers because it requires no authentication or specialized access  as it requires only a crafted HTTP/S request that abuses the device’s internal API trust checks. This means opportunistic scanners and low‑sophistication actors can quickly probe and compromise internet‑facing Fortinet management interfaces, combined with default disabled REST API logging.

Conclusion:

As CVE-2022-40684 allows for complete administrative access without authentication through effortlessly spoofable HTTP headers, it poses a serious security risk to enterprises utilizing impacted Fortinet equipment. Many compromises may go undetected since detection can be difficult due to the limited default logging and the ability to carry out high-impact activities in silence. Organizations must treat this as a high-priority incident, apply patches right away, check configurations and logs for indications of compromise, and enact stronger access controls moving forward due to the vulnerability’s critical nature, active exploitation in the wild, and the crucial role these devices play in network security.

Impact

A successful exploitation of CVE-2022-40684 can have serious, far-reaching impacts, where attackers can create local admin users or inject SSH keys for persistent access, download complete configurations that reveal password hashes, VPN credentials, account names, and network topology, and change firewall policies or VPN profiles to pivot into internal systems, allowing data exfiltration, lateral movement, and long-term stealthy presence. Compromises may go unnoticed because REST API logging is frequently turned off and some operations do not result in clear system events. This makes forensics more difficult and increases the possibility of massive credential reuse attacks, regulatory exposure, and prolonged operational disruption across dependent services.

IOC and Context Details

Recommended Actions

• Immediately upgrade Fortinet devices to patched versions: FortiOS 7.0.7, 7.2.2, FortiProxy 7.0.7/7.2.2, and FortiSwitchManager updates.
• Restrict public access to all management interfaces by implementing network ACLs and limiting access to trusted IP addresses only.
• Enable and export REST API and General System Event logging to external log management or SIEM systems for thorough monitoring and forensic analysis.
• Regularly audit device configurations for unauthorized changes, focusing on new local admin users, SSH key additions, and firewall policy or VPN profile modifications.
• Search logs for the indicator user=Local_Process_Access and suspicious API activity involving User-Agent: Report Runner or Node.js headers.
• Enforce multi-factor authentication (MFA) on all remote access solutions to reduce risk of credential misuse post-compromise.
• Remove all unauthorized SSH keys and reset all passwords and pre-shared keys on affected devices after a suspected compromise.
• Isolate compromised devices immediately, secure logs before patching, and engage professional incident responders to conduct impact analysis and remediation.

References

https://www.rapid7.com/blog/post/2022/10/07/cve-2022-40684-remote-authentication-bypass-vulnerability-in-fortinet-firewalls-web-proxies/