7th October 2022
Fortinet confirmed an Authentication Bypass vulnerability in FortiOS and FortiProxy versions 7.x. CVE-2022-40684 has a CVSSv3 score of 9.6 (Critical)
This vulnerability allows an authentication bypass on the management interface using “specially crafted HTTP or HTTPS requests”.
Fortinet provided advanced notification to customers, released patches, and recommends immediate upgrade due to the ability to exploit this issue remotely.
An official public advisory from Fortinet PSIRT is not yet available at the time of the publication of this blog post.
Spotit also recommends immediate upgrade. If this is not possible then access to the administrative interface should be restricted using a local-in-policy.
FortiOS: From 7.0.0 to 7.0.6 and from 7.2.0 to 7.2.1
FortiProxy: From 7.0.0 to 7.0.6 and 7.2.0
All earlier versions are not affected.