Fortinet urges customers to urgently patch their appliances against a critical authentication bypass FortiOS, FortiProxy, and FortiSwitchManager vulnerability exploited in attacks.
The company released security updates to address the flaw (CVE-2022-40684) last week and it also advised customers in private alerts to disable remote management user interfaces on affected devices “with the utmost urgency” to block attacks if they can’t immediately patch.
One week later, Horizon3.ai security researchers shared a proof-of-concept (PoC) exploit and a technical root cause analysis for the vulnerability.
On Friday, after the exploit code was released, Fortinet issued a public warning asking customers to patch this actively exploited security flaw urgently.
“After multiple notifications from Fortinet over the past week, there are still a significant number of devices that require mitigation, and following the publication by an outside party of POC code, there is active exploitation of this vulnerability,” the company warned.
“Based on this development, Fortinet again recommends customers and partners take urgent and immediate action as described in the public Advisory.”
Attackers started scanning for unpatched Fortinet devices as soon as the initial confidential notification was sent to customers on October 6, with Fortinet saying that it detected threat actors exploiting the vulnerability to create malicious administrator accounts.
Cybersecurity companies GreyNoise and Bad Packets confirmed Fortinet’s findings after sharing that they’ve also detected attackers scanning for and attempting to exploit CVE-2022-40684 in the wild.
CISA also added CVE-2022-40684 on Tuesday to its list of security bugs exploited in attacks, requiring all Federal Civilian Executive Branch agencies to patch Fortinet devices on their networks until November 1st.
Admins who can’t immediately apply patches or disable vulnerable appliances to ensure that they aren’t compromised can also use the mitigation measures shared by Fortinet in this security advisory.
These workarounds require disabling the HTTP/HTTPS administrative interface or limiting the IP addresses that can be used to reach the admin interface using a Local in Policy.
If you want to verify if your devices have been compromised before applying mitigations or patches, you can check the devices’ logs for user=” Local_Process_Access”, user_interface=” Node.js”, or user_interface=” Report Runner”.