September 9, 2022

Fortinet Patches Critical Vulnerability Affecting FortiGate and FortiProxy

Fortinet has released a security alert to its customers about a critical Authentication-Bypass Vulnerability in FortiGate firewalls and FortiProxy web proxies that might allow an unauthenticated  attacker to execute remote arbitrary actions on vulnerable systems.

The Vulnerability

• CVE-2022-40684 (CVSS 3.1: 9.6, Critical)  – An authentication bypass vulnerability, may allow an unauthenticated attacker to perform remote arbitrary actions on the administration interface via a specially crafted HTTP(S) request.

Affected Products

• FortiOS – From 7.0.0 to 7.0.6 and from 7.2.0 to 7.2.1.
• FortiProxy – From 7.0.0 to 7.0.6 and 7.2.0.

Mitigation

CYREBRO strongly urges all Fortinet customers to update to the patched versions of FortiOS and FortiProxy, which were published this week – FortiOS versions 7.0.7 and 7.2.2, and FortiProxy versions 7.0.7 and 7.2.1.

Workaround

As a temporary workaround, Fortinet advises customers to disable internet-facing HTTPS Administration until the upgrades are implemented, or to enforce a firewall policy to “local-in traffic.”

References: RAPID7 Blog