- Fortinet and multiple cybersecurity companies confirmed that the authentication bypass vulnerability is being exploited in the wild.
- The vulnerability allows attackers to add an SSH key to the admin user, which allows attackers to SSH into the affected system as admin.
- Fortinet stated that there are still a significant number of devices that need to be updated and urged users to update their systems.
Last week, Fortinet warned its users privately about a critical authentication bypass vulnerability found in FortiOS, FortiProxy, and FortiSwitchManager. The company released an update to fix the issue and urged its users to apply the patch as soon as possible and also advised them to disable remote management user interfaces to protect themselves against the attacks.
Proof-of-concept exploit
Shortly after Fortinet’s announcement, security researchers at Horizon3 released the proof-of-concept for the vulnerability, tracked as CVE-2022-40684. The vulnerability allows attackers to add an SSH key to the admin user, which allows attackers to SSH into the affected system as admin.
After the exploit code was released publicly, Fortinet published a warning once again to urge customers to patch the actively exploited vulnerability. GreyNoise and Bad Packets also confirmed that the threat actors are scanning for the vulnerability to be able to exploit it. The Cybersecurity and Infrastructure Security Agency has also added the vulnerability to its Known Exploited Vulnerabilities Catalog, urging all Federal agencies to update their Fortinet devices before November 1st. Fortinet said,
« After multiple notifications from Fortinet over the past week, there are still a significant number of devices that require mitigation, and following the publication by an outside party of POC code, there is active exploitation of this vulnerability. Based on this development, Fortinet again recommends customers and partners take urgent and immediate action as described in the public Advisory. »