- Fortinet warned users privately about a vulnerability that affects FortiGate firewalls and FortiProxy web proxies.
- The vulnerability has a CVSS score of 9.6 and allows attackers to perform unauthorized actions on affected devices.
- The vulnerability is addressed in FortiOS versions 7.0.7 and 7.2.2, and FortiProxy versions 7.0.7 and 7.2.1.
Fortinet warned its customers about a vulnerability privately. The vulnerability affects FortiGate firewalls and FortiProxy web proxies. The vulnerability is tracked as CVE-2022-40684 and has a CVSS score of 9.6. The vulnerability allows unauthorized third parties to perform arbitrary operations on the administrative interface by sending specially crafted requests.
CVSS score: 9.6
The vulnerability was patched in FortiOS versions 7.0.7 and 7.2.2, and FortiProxy versions 7.0.7 and 7.2.1. FortiOS version from 7.0.0 to 7.0.6, and from 7.2.0 to 7.2.1 are vulnerable. Also, FortiProxy versions from 7.0.0 to 7.0.6 and 7.2.0 are vulnerable. The company didn’t publicly announce the issue yet to give users enough time to apply the fixes.
#Fortinet is currently advising it's customers on a high severity #vulnerability in
FortiOS: From 7.0.0 to 7.0.6 and from 7.2.0 to 7.2.1
FortiProxy: From 7.0.0 to 7.0.6 and 7.2.0#CVE: CVE-2022-40684#authbypass #RCE #prepareforimpact@campuscodi @uuallan @GossiTheDog pic.twitter.com/eiVrtsozC0
— Gitworm (@Gi7w0rm) October 7, 2022
Users who can’t upgrade their system immediately are also urged to disable internet-facing HTTPS Administration as a temporary workaround until the upgrades are completed. Alternatively, users can also enforce a firewall policy for local traffic. The company said,
« Timely and ongoing communications with our customers is a key component in our efforts to best protect and secure their organization. Customer communications often detail the most up-to-date guidance and recommended next steps to best protect and secure their organization.
There are instances where confidential advance customer communications can include early warning on advisories to enable customers to further strengthen their security posture, which then will be publicly released in the coming days to a broader audience. The security of our customers is our first priority. »