Security Experts:

Connect with us

Hi, what are you looking for?



PoC Published for Fortinet Vulnerability as Mass Exploitation Attempts Begin

Details and a proof-of-concept (PoC) exploit have been published for the recent Fortinet vulnerability tracked as CVE-2022-40684, just as cybersecurity firms are seeing what appears to be the start of mass exploitation attempts.

Details and a proof-of-concept (PoC) exploit have been published for the recent Fortinet vulnerability tracked as CVE-2022-40684, just as cybersecurity firms are seeing what appears to be the start of mass exploitation attempts.

Fortinet privately informed some customers last week about the availability of patches and workarounds for a critical authentication bypass vulnerability exposing some devices to remote attacks.

The security hole allows an unauthenticated attacker to remotely perform unauthorized operations on an appliance’s admin interface using specially crafted requests. Exploitation is not difficult and it can lead to a full device takeover.

On Monday, the company made public an advisory and confirmed that the zero-day flaw had been exploited in at least one attack.

This suggested that the attack observed by Fortinet was likely the work of a sophisticated — likely state-sponsored — threat actor. However, as more details are coming to light, it’s increasingly likely that CVE-2022-40684 will be widely exploited.

Penetration testing company has made public a PoC exploit that allows an attacker to add an SSH key to the admin user, enabling the attacker to access the targeted system with administrator privileges. The firm has also released technical details, and others have created templates for vulnerability scanners.

There have been several reports over the past day indicating that scanning for systems affected by CVE-2022-40684 is underway. Threat intelligence firm GreyNoise has seen exploitation attempts coming from more than 40 unique IPs in the past 24 hours.

WordPress security company Defiant has also seen exploitation attempts, coming from nearly two dozen IPs.

“Most of the requests we have observed are GET requests presumably trying to determine whether a Fortinet appliance is in place,” the Wordfence team at Defiant explained. “However, we also found that a number of these IPs are also sending out PUT requests matching the recently released proof of concept, […] which attempts to update the public SSH key of the admin user.”

“While some requests are using a fake public key, which may indicate a benign vulnerability scanner, all of the requests using a valid public key are using the same public key, indicating that these requests are all the work of the same actor,” the Wordfence team added.

Shortly after the existence of CVE-2022-40684 came to light, SANS Institute reported seeing an increase in scans for an old Fortigate vulnerability and the company believed someone may have been trying to create a list of potential targets for exploitation. SANS has now also reported seeing exploitation attempts targeting CVE-2022-40684.

CVE-2022-40684 affects Fortinet FortiOS, FortiProxy, and FortiSwitchManager appliances. Patches and workarounds are available from the vendor, and organizations have been urged to address the flaw as soon as possible. CISA has instructed federal agencies to take action by November 1.

One scan showed more than 17,000 vulnerable Fortinet appliances exposed to attacks, including over 3,000 in the United States.

Related: Vulnerabilities in Fortinet WAF Can Expose Corporate Networks to Attacks

Related: Fortinet Patches High-Severity Vulnerabilities in Several Products

Related: Tens of Thousands of Unpatched Fortinet VPNs Hacked via Old Security Flaw

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.