CVE-2022-40684

What is Fortinet FortiOS / FortiProxy / FortiSwitchManager?

Fortinet is one of the world's largest network security vendors. FortiOS is the operating system powering FortiGate next-generation firewalls — the most widely deployed enterprise firewalls globally. FortiProxy is Fortinet's secure web gateway proxy. FortiSwitchManager is the centralized management platform for FortiSwitch network switches. All three products expose web-based administrative interfaces used by network security teams to configure and manage network security infrastructure. Because FortiGate firewalls handle all network traffic and security enforcement for millions of enterprises, a compromise of the management interface gives attackers full control over network perimeter security and access to the protected internal network.

Overview

CVE-2022-40684 is a critical authentication bypass vulnerability (CWE-287, CVSS 9.8) in Fortinet FortiOS, FortiProxy, and FortiSwitchManager that allows an unauthenticated remote attacker to perform any administrative operation on the management interface by sending specially crafted HTTP or HTTPS requests. Successful exploitation requires no credentials and allows the attacker to create new administrator accounts, modify firewall policies, extract VPN credentials, and fully control the Fortinet device. Fortinet privately notified customers five days before publishing the advisory — indicating awareness of active exploitation before public disclosure. Active exploitation was confirmed at the time of public advisory release. ransomwareUse: true.

Affected Versions

Fortinet 6.x versions are not affected. Only 7.0 and 7.2 series are vulnerable.

Technical Details

The vulnerability (CWE-287: Improper Authentication) exists in the HTTP/HTTPS authentication mechanism for the administrative management interface. Fortinet's management interface uses the HTTP Forwarded header to support proxy and load balancer deployments — the header is used to identify the originating client IP when requests pass through intermediaries.

An attacker exploits the vulnerability by crafting HTTP requests with a specially constructed Forwarded header (or potentially X-Forwarded-For) that causes the authentication logic to incorrectly determine that the request comes from a trusted local source, bypassing the normal credential verification. This allows the attacker to issue any administrative API command — including creating new admin accounts, modifying configuration, or exfiltrating system state — without providing valid credentials.

Post-exploitation, threat actors typically:

1. Create a new administrator account with a persistent backdoor password
2. Modify firewall policies to allow inbound connections to internal systems
3. Extract SSL-VPN configurations and credentials
4. Deploy persistent implants on the FortiGate device itself

Discovery

The vulnerability was discovered and reported to Fortinet through their PSIRT program. Fortinet's decision to privately notify customers before publishing the advisory indicates they were aware of imminent or active exploitation — likely through customer incident reports. Multiple security research teams reverse-engineered the patch and published technical analysis within days of the advisory, enabling rapid weaponization.

Exploitation Context

CVE-2022-40684 generated immediate mass exploitation activity. Within days of the public advisory:

• Security researchers observed thousands of exploitation attempts against internet-accessible Fortinet devices
• Threat actors were observed creating rogue administrator accounts on compromised FortiGate firewalls within hours of the advisory
• Ransomware groups incorporated the exploit into their initial access operations

The vulnerability is particularly dangerous because:

• FortiGate firewalls are internet-facing by design (they protect the network perimeter) and management interfaces are often accessible from the internet for remote administration
• A compromised FortiGate gives the attacker full visibility and control over all network traffic passing through it
• FortiGate SSL-VPN provides access to all VPN user sessions and credentials

Known exploitation activity included Hive ransomware and other groups using CVE-2022-40684 as an initial access vector before deploying ransomware across the internal network.

Remediation

1. Patch FortiOS/FortiProxy/FortiSwitchManager immediately: Upgrade to the fixed versions per FG-IR-22-377. This is a critical zero-day with confirmed active exploitation — do not wait.
2. Disable management interface internet access: As an emergency mitigation, disable internet-accessible management (HTTPS admin) on FortiGate WAN interfaces. Management should only be accessible from trusted internal or management network IPs.
3. Audit for rogue admin accounts: Check the administrator user list for any accounts that were not created by your team. Delete unauthorized accounts immediately.
4. Review firewall policy changes: Examine the FortiGate audit log for configuration changes made during the exploitation window — particularly new firewall rules, VPN policy changes, or routing modifications.
5. Rotate SSL-VPN credentials: Assume VPN user credentials may have been harvested. Force password resets for all SSL-VPN users and review VPN session logs for unauthorized access.
6. Check for persistent implants: Fortinet released guidance on detecting implants (FortiOS file system modifications). Run the integrity checker to verify system files have not been tampered with.