Connect with us

Hi, what are you looking for?



PoC Published for Fortinet Vulnerability as Mass Exploitation Attempts Begin

Details and a proof-of-concept (PoC) exploit have been published for the recent Fortinet vulnerability tracked as CVE-2022-40684, just as cybersecurity firms are seeing what appears to be the start of mass exploitation attempts.

Details and a proof-of-concept (PoC) exploit have been published for the recent Fortinet vulnerability tracked as CVE-2022-40684, just as cybersecurity firms are seeing what appears to be the start of mass exploitation attempts.

Fortinet privately informed some customers last week about the availability of patches and workarounds for a critical authentication bypass vulnerability exposing some devices to remote attacks.

The security hole allows an unauthenticated attacker to remotely perform unauthorized operations on an appliance’s admin interface using specially crafted requests. Exploitation is not difficult and it can lead to a full device takeover.

On Monday, the company made public an advisory and confirmed that the zero-day flaw had been exploited in at least one attack.

This suggested that the attack observed by Fortinet was likely the work of a sophisticated — likely state-sponsored — threat actor. However, as more details are coming to light, it’s increasingly likely that CVE-2022-40684 will be widely exploited.

Penetration testing company has made public a PoC exploit that allows an attacker to add an SSH key to the admin user, enabling the attacker to access the targeted system with administrator privileges. The firm has also released technical details, and others have created templates for vulnerability scanners.

There have been several reports over the past day indicating that scanning for systems affected by CVE-2022-40684 is underway. Threat intelligence firm GreyNoise has seen exploitation attempts coming from more than 40 unique IPs in the past 24 hours.

WordPress security company Defiant has also seen exploitation attempts, coming from nearly two dozen IPs.

Advertisement. Scroll to continue reading.

“Most of the requests we have observed are GET requests presumably trying to determine whether a Fortinet appliance is in place,” the Wordfence team at Defiant explained. “However, we also found that a number of these IPs are also sending out PUT requests matching the recently released proof of concept, […] which attempts to update the public SSH key of the admin user.”

“While some requests are using a fake public key, which may indicate a benign vulnerability scanner, all of the requests using a valid public key are using the same public key, indicating that these requests are all the work of the same actor,” the Wordfence team added.

Shortly after the existence of CVE-2022-40684 came to light, SANS Institute reported seeing an increase in scans for an old Fortigate vulnerability and the company believed someone may have been trying to create a list of potential targets for exploitation. SANS has now also reported seeing exploitation attempts targeting CVE-2022-40684.

CVE-2022-40684 affects Fortinet FortiOS, FortiProxy, and FortiSwitchManager appliances. Patches and workarounds are available from the vendor, and organizations have been urged to address the flaw as soon as possible. CISA has instructed federal agencies to take action by November 1.

One scan showed more than 17,000 vulnerable Fortinet appliances exposed to attacks, including over 3,000 in the United States.

Related: Vulnerabilities in Fortinet WAF Can Expose Corporate Networks to Attacks

Related: Fortinet Patches High-Severity Vulnerabilities in Several Products

Related: Tens of Thousands of Unpatched Fortinet VPNs Hacked via Old Security Flaw

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.


People on the Move

Data security startup Reco adds Merritt Baer as CISO

Chris Pashley has been named CISO at Advanced Research Projects Agency for Health (ARPA-H).

Satellite cybersecurity company SpiderOak has named Kip Gering as its new Chief Revenue Officer.

More People On The Move

Expert Insights