Skip to content

FortiOS / FortiProxy / FortiSwitchManager – Authentication Bypass (CVE-2022-40684)

  • Resources
  • Glossary
  • FortiOS / FortiProxy / FortiSwitchManager – Authentication Bypass (CVE-2022-40684)

We would like to bring to your attention a newly discovered authentication bypass vulnerability within FortiOS, FortiProxy and FortiSwitchManager. This vulnerability is currently being actively exploited.

An authentication bypass has been identified using an alternate path or channel vulnerability [CWE-288] in FortiOS, FortiProxy and FortiSwitchManager which allows an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests. The vulnerability has been issued the identifier CVE-2022-40684 and has been given a CVSS score of 9.6.

Affected Products

  • FortiOS version 7.2.0 through 7.2.1

  • FortiOS version 7.0.0 through 7.0.6

  • FortiProxy version 7.2.0

  • FortiProxy version 7.0.0

  • FortiSwitchManager version 7.2.0

  • FortiSwitchManager version 7.0.0

Detection

The current version of FortiOS / FortiGate can be checked with the following command, and should be checked against the known affected products above:

get system status

Additional Fortinet recommend to check the device’s log for the following strings to help detected compromised devices:

  • user=”Local_Process_Access”

  • user_interface=”Node.js”

  • user_interface=”Report Runner”

Exploited hosts may show records for these strings.

Remediation

Whilst a workaround has been provided, current best guidance for remediating this issue to update to an unaffected version.

  • FortiOS should be updated to version 7.2.2 or above and version 7.0.7 or above.

  • FortiProxy should be updated to version 7.2.1 or above and version 7.0.7 or above.

  • FortiSwitchManager should be updated to version 7.2.1 or above.

References

City network visual symbolising interconnected systems impacted by the F5 breach

Weaponized patience: the strategic implications of the F5 breach

The F5 breach reveals the growing danger of shared infrastructure attacks. As adversaries learn faster than defenders, the only path to resilience is continuous, adaptive testing.…

Everyone has a plan until they get punched in the face: reflections on the NCSC 2025 annual review

The NCSC Annual Review 2025 delivers a reality check. Highly significant cyber incidents have increased by 50 percent year over year. It’s time to act.
aerial view of a city symbolising complexity and continuous threat readiness

Part 3: CBEST Series – The Future of Threat-Led Penetration Testing

Regulated testing like CBEST is pivotal, but as threats shift, organizations must adopt more strategic, agile threat-led penetration testing. Discover what’s next.