CVE-2022-40684 Overview
CVE-2022-40684 is a critical authentication bypass vulnerability affecting multiple Fortinet products including FortiOS, FortiProxy, and FortiSwitchManager. The vulnerability allows an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests. This flaw stems from an alternate path or channel authentication bypass (CWE-288), enabling threat actors to gain unauthorized administrative access to affected devices without valid credentials.
This vulnerability is particularly severe as it targets network perimeter security devices, which serve as the first line of defense for enterprise networks. Successful exploitation grants attackers complete administrative control over firewalls and network security appliances.
Critical Impact
This vulnerability is actively exploited in the wild and listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. Unauthenticated attackers can gain full administrative access to Fortinet security appliances, potentially compromising entire network infrastructures.
Affected Products
- Fortinet FortiOS version 7.2.0 through 7.2.1
- Fortinet FortiOS version 7.0.0 through 7.0.6
- Fortinet FortiProxy version 7.2.0
- Fortinet FortiProxy version 7.0.0 through 7.0.6
- Fortinet FortiSwitchManager version 7.2.0
- Fortinet FortiSwitchManager version 7.0.0
Discovery Timeline
- 2022-10-18 - CVE-2022-40684 published to NVD
- 2026-01-14 - Last updated in NVD database
Technical Details for CVE-2022-40684
Vulnerability Analysis
The vulnerability resides in the authentication mechanism of the administrative interface for affected Fortinet products. The flaw allows attackers to bypass authentication entirely by using an alternate path or channel, as classified under CWE-287 (Improper Authentication). This means the normal authentication checks can be circumvented through specially crafted requests.
When exploited, an attacker can perform any administrative operation on the device as if they were a legitimate administrator. This includes modifying firewall rules, creating new administrative accounts, exfiltrating configuration data, and potentially pivoting deeper into the protected network.
The exploitation occurs over the network without requiring any prior authentication or user interaction, making it highly accessible to remote attackers. The vulnerability affects the HTTP/HTTPS administrative interface, which is often exposed to the internet for remote management purposes.
Root Cause
The root cause of CVE-2022-40684 is an authentication bypass using an alternate path or channel (CWE-288). The administrative interface fails to properly validate authentication for certain request patterns, allowing specially crafted HTTP or HTTPS requests to bypass the normal authentication workflow entirely. This design flaw enables unauthenticated access to privileged administrative functions that should require valid credentials.
Attack Vector
The attack is network-based and targets the administrative interface of affected Fortinet devices. Attackers craft malicious HTTP or HTTPS requests that exploit the alternate authentication path, bypassing credential validation. The attack can be executed remotely against any exposed administrative interface.
The exploitation flow typically involves:
- The attacker identifies a vulnerable Fortinet device with an exposed administrative interface
- A specially crafted HTTP/HTTPS request is sent to the administrative API endpoints
- The authentication mechanism is bypassed through the alternate path vulnerability
- The attacker gains unauthorized administrative access to the device
- Administrative operations can be performed including adding SSH keys, modifying configurations, or creating new admin users
For technical implementation details, refer to the Packet Storm Security Advisory and the FortiGuard PSIRT Advisory.
Detection Methods for CVE-2022-40684
Indicators of Compromise
- Unexpected administrative user accounts created on Fortinet devices
- Unauthorized SSH keys added to administrator profiles
- Configuration changes occurring outside normal maintenance windows
- HTTP/HTTPS requests to administrative endpoints with anomalous headers or request patterns
- Log entries showing administrative actions without corresponding legitimate authentication
Detection Strategies
- Monitor Fortinet device logs for administrative operations performed without proper authentication sequences
- Implement network monitoring for suspicious HTTP/HTTPS traffic to Fortinet administrative interfaces
- Regularly audit administrative user accounts and SSH keys for unauthorized additions
- Deploy intrusion detection signatures for known CVE-2022-40684 exploitation patterns
- Compare device configurations against known-good baselines to detect unauthorized modifications
Monitoring Recommendations
- Enable comprehensive logging on all Fortinet devices and forward logs to a SIEM solution
- Configure alerts for new administrative account creation or SSH key additions
- Monitor for external access attempts to administrative interfaces from unexpected IP addresses
- Implement network traffic analysis for the management VLAN or interface
How to Mitigate CVE-2022-40684
Immediate Actions Required
- Apply the security patches from Fortinet immediately to all affected devices
- Restrict administrative interface access to trusted management networks only
- If patching is not immediately possible, disable the administrative HTTP/HTTPS interface until patches can be applied
- Audit all administrative accounts and SSH keys for unauthorized additions
- Review device configurations for any unauthorized changes
Patch Information
Fortinet has released security patches addressing CVE-2022-40684. Organizations should upgrade to the following versions or later:
- FortiOS: Upgrade to version 7.2.2 or later, or 7.0.7 or later
- FortiProxy: Upgrade to version 7.2.1 or later, or 7.0.7 or later
- FortiSwitchManager: Upgrade to version 7.2.1 or later
Refer to the FortiGuard PSIRT Advisory FG-IR-22-377 for complete patching instructions and the latest version recommendations.
Workarounds
- Disable HTTP/HTTPS administrative access and use console-only management until patches are applied
- Implement strict network access controls limiting administrative interface access to specific trusted IP addresses
- Enable local-in policies to restrict administrative access to trusted hosts only
- Use VPN or jump server architectures to isolate administrative access from direct internet exposure
# Example: Restrict administrative access to trusted hosts only (FortiOS CLI)
config system interface
edit "mgmt"
set allowaccess ping https ssh
set trusted-host1 10.0.0.0/24
next
end
# Alternative: Disable HTTPS admin access temporarily
config system global
set admin-https-redirect disable
end
config system interface
edit "wan1"
set allowaccess ping
next
end
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
