Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Fortinet Customers Told to Urgently Patch Remotely Exploitable Vulnerability

Fortinet has privately informed some customers about a critical and remotely exploitable vulnerability that poses a significant risk.

Fortinet has privately informed some customers about a critical and remotely exploitable vulnerability that poses a significant risk.

The cybersecurity firm does not appear to have released a public advisory, but in emails sent to customers the company revealed that its FortiOS and FortiProxy products are affected by a critical authentication bypass vulnerability on the admin interface. The issue is tracked as CVE-2022-40684.

The email has only been distributed to ‘select customers’ and it’s marked as ‘strictly confidential’, with recipients instructed not to share it outside their organization. However, copies of the email have been shared on social media and even on Fortinet forums by customers.

“Fortinet is providing an advanced notification of a critical severity authentication bypass using an alternate path or channel [CWE-88] in specific versions of FortiOS and FortiProxy that may allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests,” Fortinet said.

The company has instructed customers to immediately update their products due to attackers being able to remotely exploit the vulnerability.

FortiOS versions between 7.0.0 and 7.0.6, and between 7.2.0 and 7.2.1 are affected, as well as FortiProxy 7.0.0 through 7.0.6 and 7.2.0. FortiOS patches are included in versions 7.0.7 and 7.2.2, and fixes for FortiProxy are included in 7.0.7 and 7.2.1. There have also been some unconfirmed reports that versions 6.x.x could also be impacted.

Users can also prevent attacks by ensuring that only trusted IP addresses can reach the affected products’ administrative interface.

Threat intelligence company GreyNoise says it will be keeping an eye out for exploitation attempts, but for the time being there is not enough information for them to be able to identify attacks.

Threat intelligence firm Cyberthint reported seeing more than 150,000 potentially vulnerable Fortinet product instances that are exposed to the internet.

While it’s unclear if attacks exploiting CVE-2022-40684 have already begun, it’s not uncommon for threat actors to target vulnerabilities in Fortinet products.

UPDATE: Fortinet has made its advisory public. The company has also informed customers about CVE-2022-33873, which allows an unauthenticated remote attacker to execute arbitrary commands in the underlying shell.

UPDATE 2: Fortinet has confirmed that CVE-2022-40684 is zero-day that has been exploited in at least one attack. 

Related: Vulnerabilities in Fortinet WAF Can Expose Corporate Networks to Attacks

Related: CISA Expands ‘Must-Patch’ List With Log4j, FortiOS, Other Vulnerabilities

Related: Fortinet Patches High-Severity Vulnerabilities in Several Products

Related: Tens of Thousands of Unpatched Fortinet VPNs Hacked via Old Security Flaw

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.