Fortinet issues emergency patch for authentication bypass

Fortinet has issued emergency patches for various versions of its FortiOS and FortiProxy software.

News of the bug, CVE-2022-40684, emerged late last week on social media.

While the company’s security advisories don’t yet list the bug, its existence emerged when Twitter user @Gi7w0rm posted a confidential e-mail received by “selected” Fortinet customers.

“Fortinet is providing an advanced notification of a critical severity authentication bypass using an alternate path or channel ... in specific versions of FortiOS and FortiProxy that may allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests”, the email states.

Vulnerable versions are FortiOS 7.0.0 to 7.0.6, FortiOS 7.2.0 to 7.2.1, and FortiProxy 7.0.0 to 7.0.6 and 7.2.0.

The company has acknowledged and patched the bug in FortiOS 7.2.1 and 7.2.2, while FortiProxy 7.2.1 replaces vulnerable versions.

Tenable Security wrote: “At this time, there is no information on whether this vulnerability has been exploited in attacks. But, given threat actors’ penchant for targeting FortiOS vulnerabilities, Fortinet’s recommendation to remediate this vulnerability ‘with the utmost urgency’ is appropriate.”

While the vulnerability’s CVE details haven’t yet been published, Tenable said it received a CVSS score of 9.8.