Security News > 2022 > October > Researchers release PoC for Fortinet firewall flaw, exploitation attempts mount
Ai researchers have released a PoC exploit for CVE-2022-40684, the authentication bypass vulnerability affecting Fortinet's firewalls and secure web gateways, and soon after exploitation attempts started rising.
" , the Wordfence Threat Intelligence team began tracking exploit attempts targeting CVE-2022-40684 on our network of over 4 million protected websites," Wordfence threat analyst Ram Gall shared.
They have recorded several exploit attempts and requests from over 20 IP addresses, but most of those were attempts to discover whether a Fortinet appliance is in place.
It is unknown who first discovered the existence of CVE-2022-40684, but Fortinet spotted it being exploited in the wild, created patches, and privately urged customers to implement them before going public with the information.
Ai researchers created an exploit after analyzing the differences between the vulnerable and the patched firmware, but refrained from publishing it for a few days, to give admins time to patch or implement workarounds.
Others have released PoCs and, as already noted, exploitation attempts have begun surfacing.
News URL
https://www.helpnetsecurity.com/2022/10/14/cve-2022-40684-exploitation/
Related news
- Palo Alto firewalls: CVE-2024-3400 exploitation and PoCs for persistence after resets/upgrades (source)
- CISA Alerts on Active Exploitation of Flaws in Fortinet, Ivanti, and Nice Products (source)
- Week in review: PoCs allow persistence on Palo Alto firewalls, Okta credential stuffing attacks (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-10-18 | CVE-2022-40684 | Improper Authentication vulnerability in Fortinet Fortios, Fortiproxy and Fortiswitchmanager An authentication bypass using an alternate path or channel [CWE-288] in Fortinet FortiOS version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy version 7.2.0 and version 7.0.0 through 7.0.6 and FortiSwitchManager version 7.2.0 and 7.0.0 allows an unauthenticated atttacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests. | 9.8 |