Fortinet has warned administrators to update FortiGate firewalls and FortiProxy web proxies to the latest versions, which address a critical severity vulnerability.
The security flaw (tracked as CVE-2022-40684) is an authentication bypass on the administrative interface that could allow remote threat actors to log into unpatched devices.
“An authentication bypass using an alternate path or channel [CWE-88] in FortiOS and FortiProxy may allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests,” Fortinet explains in a customer support bulletin issued today.
“This is a critical vulnerability and should be dealt with the utmost urgency,” the company adds.
Fortinet has also emailed customers and advised them to update to the latest available versions immediately.
“Due to the ability to exploit this issue remotely, Fortinet is strongly recommending all customers with the vulnerable versions to perform an immediate upgrade,” the company warned.
According to a Shodan search, more than 100,000 FortiGate firewalls are reachable from the Internet, although it’s unknown if their management interfaces are also exposed.
The complete list of products vulnerable to attacks attempting to exploit the CVE-2022-40 flaw includes:
FortiOS: From 7.0.0 to 7.0.6 and from 7.2.0 to 7.2.1
FortiProxy: From 7.0.0 to 7.0.6 and 7.2.0
Per today’s customer support bulletin, Fortinet released security patches on Thursday, asking customers to update vulnerable devices to FortiOS/FortiProxy versions 7.0.7 or 7.2.2.
The company also provides a workaround for those who can’t immediately deploy security updates.
To block remote attackers from bypassing authentication and logging into vulnerable FortiGate and FortiProxy deployments, customers should limit the IP addresses that can reach the administrative interface using a local-in-policy.
BleepingComputer emailed Fortinet to request info regarding active exploitation and we will update the story when we have more details.