Alert Essentials:
CVE-2022-40684 is an authentication bypass vulnerability that affects Fortinet’s administrative interfaces.
The flaw was patched in 2022; however, data obtained from successful exploits was recently released on BreachForums.com.
Verify that vulnerable software has been upgraded and that device credentials have been reset.
Detailed Threat Description:
Attackers recently leaked configuration data and passwords from attacks on Fortinet products in 2022.
An authentication bypass using an alternate path or channel vulnerability in FortiOS, FortiProxy, and FortiSwitchManager allows an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests. Attackers can execute remote code to exfiltrate configurations and create super admin accounts on compromised devices.
A newly emerged group, Belsen Group, released configurations from over 15,000 compromised FortiGate devices. This breach exposes usernames, passwords (some in plaintext), and VPN credentials.
Critical firewall rules, IP addresses, and digital certificates are also included in the available data, underscoring the lingering impact of vulnerabilities even years after patching. Fortinet claims the posted data is a resharing from incidents before software revisions were released in November 2022.
Even if organizations applied patches in late 2022, their data may be included in the recent dump as it could have been exfiltrated before patches were applied. While the captured data may be old, many devices are still online with the same configurations and firewall rules as in 2022.
This weakness is on CISA’s Known Exploited List. Proof-of-concepts exist, and they can be exploited with Core Impact and Metasploit. Upgrades and workarounds are available.
Mitigations:
- Change device credentials immediately for all affected Fortinet devices.
- Reassess firewall rules to identify potential vulnerabilities revealed by the leaked configurations.
- Disable unnecessary administrative interfaces.
- Implement additional security layers, such as IP restrictions and turning off public-facing administrative interfaces.
- Adopt proactive vulnerability intelligence platforms to monitor exposed data and mitigate risks.
Affected Products / Versions:
| Affected Products / Versions | Upgrade to |
|---|---|
| FortiOS version 7.2.0 through 7.2.1 | 7.2.2 or above |
| FortiOS version 7.0.0 through 7.0.6 | 7.0.7 or above |
| FortiProxy version 7.2.0 | 7.2.1 or above |
| FortiProxy version 7.0.0 through 7.0.6 | 7.0.7 or above |
| FortiSwitchManager version 7.2.0 | 7.2.1 or above |
| FortiSwitchManager version 7.0.0 | 7.0.1 or above |
| FG6000F and 7000E/F series | 7.0.5 B8001 or above |
Impacts on Healthcare Organizations:
Exploiting this weakness can allow full access to firewalls, proxies, and network management tools. Hackers can alter configurations, disable defenses, or open additional backdoors for long-term access. These actions could expose sensitive medical records, patient portals, and clinical applications to external threats.
Exposure would have severe consequences, as patient data may be used for identity theft or fraud, eroding patient trust and confidence.
Organizations should verify appliances are operating on fixed software versions and regularly monitor for unauthorized network access to ensure continued protection of sensitive patient data and critical operations.
Recommendations:
Engineering Recommendations:
- Verify purchase and 2022 patch dates of Fortinet products.
- Conduct an immediate review of system logs to identify potential compromises.
- Isolate and investigate affected systems.
- Upgrade or mitigate vulnerable appliances.
- Refresh credentials for Fortinet devices.
- Implement access controls to management interfaces.
- Validate the FortiGate configuration to ensure that no unauthorized changes have been implemented by a malicious third party.
- Follow best practice recommendations for configuration.
- A Tenable plugin is available: #165763 – Fortinet FortiGate Authentication bypass in the administrative interface (FG-IR-22-377).
- A separate Tenable plugin is available to identify the version of Fortinet devices in the network: #73522 – Fortinet Device Detection.
Leadership/Program Recommendations:
- Fortinet confirms that devices purchased since December 2022 or devices that have only run FortiOS 7.2.2 or above are not impacted by the information disclosed by this threat actor.
- Organizations must prioritize robust monitoring and incident response capabilities to mitigate such risks and protect their assets.
Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.
