Analysis of Fortinet "Critical Authentication Bypass" impact in Switzerland

On October 10th 2022 Fortinet patched a critical authentication bypass vulnerability affecting three of their products: FortiOS, FortiProxy, and FortiSwitchManager. The vulnerability, identified as CVE-2022-40684 with a CVSS score of 9.6, allows an attacker to login into the affected system with admin privileges, by adding a new SSH key to the admin user.

FortiOS exposes a management web portal that allows users to configure the system. Additionally, users can SSH into the system which exposes a locked-down CLI interface. Horizon3 researchers analysed the differences between Fortinet's vulnerable firmware and it's patched firmware, discovering that the problem was in one function which, if called with specific headers values, could allow to bypass authentication.

Image 1: Vulnerable Function (Source: Horizon3 - https://u6z4d6v3.rocketcdn.me/wp-content/uploads/2022/10/Screen-Shot-2022-10-10-at-11.38.59-AM.png.webp).


This function checks that the client_ip is “127.0.01” and that the User-Agent header matches the second parameter, and gets called with two possible values for the second parameter: “Node.js” and “Report Runner”. The “Node.js” path seems to perform some additional validation, but using “Report Runner” allow to bypass authentication and perform API requests.

Here is an overview of the necessary conditions of a request for exploiting this vulnerability:

  1. Using the Forwarded header the client_ip should be set to  “”

  2. The User-Agent should be set to “Report Runner”

On October 13th a PoC of the vulnerability written in python, by Horizon3 researchers, was published. After a few hours, other PoCs and templates for the vulnerability were published on Github.


Indicators of Compromise (IOCs)

The following indicators of compromise in the device's logs should be checked immediately, according to Fortinet, which is aware of widespread exploitation of this vulnerability: 

  • user=”Local_Process_Access”
  • user_interface=” Node.js”
  • user_interface=” Report Runner”

Any HTTP requests to a system's management interface that match the aforementioned criteria should be regarded with suspicion. This vulnerability enables an attacker to change network settings, add new users, and start packet captures on the vulnerable system, among other things. It should be noted that there are other possible conditions that could also be used to exploit this vulnerability. The User-Agent "Node.js" is used, for example, in a modified exploit version. This vulnerability appears to continue a trend among recently identified enterprise software vulnerabilities where improperly validated or overly trusted HTTP headers are involved.


Affected Products

  • FortiOS version 7.2.0 through 7.2.1
  • FortiOS version 7.0.0 through 7.0.6
  • FortiProxy version 7.2.0
  • FortiProxy version 7.0.0 through 7.0.6
  • FortiSwitchManager version 7.2.0
  • FortiSwitchManager version 7.0.0


Fortinet devices affected in Switzerland

Using our CYOBS radar, we detected 533 Fortinet devices in Switzerland still vulnerable to CVE-2022-40684.

As mentioned, an attacker can use this vulnerability to get administration rights over the vulnerable system and do just about anything they want.

We recommend patching or applying the workarounds advised by Fortinet as soon as possible, on an emergency basis. These products are edge devices, which are high-value and high-focus targets for attackers looking to gain internal network access. We expect attackers to focus on CVE-2022-40684 quickly and for quite some time.

Image 2: Vulnerable Fortinet devices detected in Switzerland by CYOBS


The switzerland zones more affected by this vulnerability are:


Image 3: Heatmap with Switzerland zones more affected by CVE-2022-40684.


In the following sections, we explain the recommendations published by Fortinet to patch this vulnerability.



The ultimate solution to CVE-2022-40684 is applying the software updates provided by Fortinet and upgrade to:

  • FortiOS version 7.2.2 or above
  • FortiOS version 7.0.7 or above
  • FortiProxy version 7.2.1 or above
  • FortiProxy version 7.0.7 or above
  • FortiSwitchManager version 7.2.1 or above




The first option is to directly disable the HTTP/HTTPS administrative interface. If you can't do that, the other option is as follows:

1) Limit IP addresses that can reach the administrative interface:

config firewall address

edit "my_allowed_addresses"

set subnet <MY IP> <MY SUBNET>


Then create an Address Group:

config firewall addrgrp

edit "MGMT_IPs"

set member "my_allowed_addresses"


2) Create the Local in Policy to restrict access only to the predefined group on management interface (here: port1):

config firewall local-in-policy

edit 1

set intf port1

set srcaddr "MGMT_IPs"

set dstaddr "all"

set action accept

set service HTTPS HTTP

set schedule "always"

set status enable


edit 2

set intf "any"

set srcaddr "all"

set dstaddr "all"

set action deny

set service HTTPS HTTP

set schedule "always"

set status enable


3 )If using non default ports, create appropriate service object for GUI administrative access:

config firewall service custom


set tcp-portrange <admin-sport>



set tcp-portrange <admin-port>


4) Use these objects instead of "HTTPS HTTP "in the local-in policy 1 and 2 below.



The first option is to directly disable the HTTP/HTTPS administrative interface. If you can't do that, the other option is as follows:

1) For FortiProxy 7.0.6 only, limit IP addresses that can reach the administrative interface (here: port1):

config system interface

edit port1

set dedicated-to management

set trust-ip-1 <MY IP> <MY SUBNET>




The only option in this case is to directly disable the HTTP/HTTPS administrative interface.


For further information:



References and useful links:




Analysis of Fortinet "Critical Authentication Bypass" impact in Switzerland

Todas las entradas