Fortinet has privately informed some customers about a critical and remotely exploitable vulnerability that poses a significant risk.
The cybersecurity firm does not appear to have released a public advisory, but in emails sent to customers the company revealed that its FortiOS and FortiProxy products are affected by a critical authentication bypass vulnerability on the admin interface. The issue is tracked as CVE-2022-40684.
The email has only been distributed to ‘select customers’ and it’s marked as ‘strictly confidential’, with recipients instructed not to share it outside their organization. However, copies of the email have been shared on social media and even on Fortinet forums by customers.
“Fortinet is providing an advanced notification of a critical severity authentication bypass using an alternate path or channel [CWE-88] in specific versions of FortiOS and FortiProxy that may allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests,” Fortinet said.
The company has instructed customers to immediately update their products due to attackers being able to remotely exploit the vulnerability.
FortiOS versions between 7.0.0 and 7.0.6, and between 7.2.0 and 7.2.1 are affected, as well as FortiProxy 7.0.0 through 7.0.6 and 7.2.0. FortiOS patches are included in versions 7.0.7 and 7.2.2, and fixes for FortiProxy are included in 7.0.7 and 7.2.1. There have also been some unconfirmed reports that versions 6.x.x could also be impacted.
Users can also prevent attacks by ensuring that only trusted IP addresses can reach the affected products’ administrative interface.
Threat intelligence company GreyNoise says it will be keeping an eye out for exploitation attempts, but for the time being there is not enough information for them to be able to identify attacks.
Threat intelligence firm Cyberthint reported seeing more than 150,000 potentially vulnerable Fortinet product instances that are exposed to the internet.
While it’s unclear if attacks exploiting CVE-2022-40684 have already begun, it’s not uncommon for threat actors to target vulnerabilities in Fortinet products.
UPDATE: Fortinet has made its advisory public. The company has also informed customers about CVE-2022-33873, which allows an unauthenticated remote attacker to execute arbitrary commands in the underlying shell.
UPDATE 2: Fortinet has confirmed that CVE-2022-40684 is zero-day that has been exploited in at least one attack.
Related: Vulnerabilities in Fortinet WAF Can Expose Corporate Networks to Attacks
Related: CISA Expands ‘Must-Patch’ List With Log4j, FortiOS, Other Vulnerabilities
Related: Fortinet Patches High-Severity Vulnerabilities in Several Products
Related: Tens of Thousands of Unpatched Fortinet VPNs Hacked via Old Security Flaw

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Hive Ransomware Operation Shut Down by Law Enforcement
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
- Dozens of Cybersecurity Companies Announced Layoffs in Past Year
- Security Update for Chrome 109 Patches 6 Vulnerabilities
- New Open Source OT Security Tool Helps Address Impact of Upcoming Microsoft Patch
- Forward Networks Raises $50 Million in Series D Funding
Latest News
- Critical Vulnerability Impacts Over 120 Lexmark Printers
- BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- Microsoft Urges Customers to Patch Exchange Servers
- Iranian APT Leaks Data From Saudi Arabia Government Under New Persona
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Cyberattacks Target Websites of German Airports, Admin
- US Infiltrates Big Ransomware Gang: ‘We Hacked the Hackers’
