Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

PoC Published for Fortinet Vulnerability as Mass Exploitation Attempts Begin

Details and a proof-of-concept (PoC) exploit have been published for the recent Fortinet vulnerability tracked as CVE-2022-40684, just as cybersecurity firms are seeing what appears to be the start of mass exploitation attempts.

Details and a proof-of-concept (PoC) exploit have been published for the recent Fortinet vulnerability tracked as CVE-2022-40684, just as cybersecurity firms are seeing what appears to be the start of mass exploitation attempts.

Fortinet privately informed some customers last week about the availability of patches and workarounds for a critical authentication bypass vulnerability exposing some devices to remote attacks.

The security hole allows an unauthenticated attacker to remotely perform unauthorized operations on an appliance’s admin interface using specially crafted requests. Exploitation is not difficult and it can lead to a full device takeover.

On Monday, the company made public an advisory and confirmed that the zero-day flaw had been exploited in at least one attack.

This suggested that the attack observed by Fortinet was likely the work of a sophisticated — likely state-sponsored — threat actor. However, as more details are coming to light, it’s increasingly likely that CVE-2022-40684 will be widely exploited.

Penetration testing company Horizon3.ai has made public a PoC exploit that allows an attacker to add an SSH key to the admin user, enabling the attacker to access the targeted system with administrator privileges. The firm has also released technical details, and others have created templates for vulnerability scanners.

There have been several reports over the past day indicating that scanning for systems affected by CVE-2022-40684 is underway. Threat intelligence firm GreyNoise has seen exploitation attempts coming from more than 40 unique IPs in the past 24 hours.

Advertisement. Scroll to continue reading.

WordPress security company Defiant has also seen exploitation attempts, coming from nearly two dozen IPs.

“Most of the requests we have observed are GET requests presumably trying to determine whether a Fortinet appliance is in place,” the Wordfence team at Defiant explained. “However, we also found that a number of these IPs are also sending out PUT requests matching the recently released proof of concept, […] which attempts to update the public SSH key of the admin user.”

“While some requests are using a fake public key, which may indicate a benign vulnerability scanner, all of the requests using a valid public key are using the same public key, indicating that these requests are all the work of the same actor,” the Wordfence team added.

Shortly after the existence of CVE-2022-40684 came to light, SANS Institute reported seeing an increase in scans for an old Fortigate vulnerability and the company believed someone may have been trying to create a list of potential targets for exploitation. SANS has now also reported seeing exploitation attempts targeting CVE-2022-40684.

CVE-2022-40684 affects Fortinet FortiOS, FortiProxy, and FortiSwitchManager appliances. Patches and workarounds are available from the vendor, and organizations have been urged to address the flaw as soon as possible. CISA has instructed federal agencies to take action by November 1.

One scan showed more than 17,000 vulnerable Fortinet appliances exposed to attacks, including over 3,000 in the United States.

Related: Vulnerabilities in Fortinet WAF Can Expose Corporate Networks to Attacks

Related: Fortinet Patches High-Severity Vulnerabilities in Several Products

Related: Tens of Thousands of Unpatched Fortinet VPNs Hacked via Old Security Flaw

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.