Skip to content

Affected Systems:

  • FortiOS versions 7.2.1, 7.2.0, 7.0.6, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1, and 7.0.0
  • FortiProxy versions 7.2.0, 7.0.6, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1, and 7.0.0
  • FortiSwitchManager versions 7.2.0, and 7.0.0


Fortinet has released a security advisory warning users of an authentication bypass vulnerability affecting its firewall and proxy products. The vulnerability, tracked as CVE-2022-40684, has a critical severity rating and has been seen actively exploited by hackers.

Alongside being announced in Fortinet’s advisory, the vulnerability has also been added to The U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities Catalogue on October 11th.

The vulnerability is exploited using specially crafted HTTP and HTTPS requests. If successful, hackers can bypass authentication and remotely access the compromised product’s administrative interface. This access allows them to disable or override administrator functions, meaning hackers can configure the firewall or proxy of an organisation to allow for a further compromise into the network.’s chief attack engineer Zach Hanley has told BleepingComputer that “Vulnerabilities affecting devices on the edge of corporate networks are among the most sought after by threat actors because it leads to breaching the perimeter, and CVE-2022-40684 allows exactly this” BleepingComputer has found that over 140,000 FortiGate firewalls are exposed on the internet, and could be vulnerable to attacks if their admin management interfaces are also exposed.


Fortinet has released updates for affected versions, asking customers to update their products as follows:

  • Upgrade FortiOS to version 7.2.2 or above or version 7.0.7 or above
  • Upgrade FortiProxy to version 7.2.1 or above, version 7.0.7 or above
  • Upgrade to FortiSwitchManager version 7.2.1 or above

As this vulnerability is being actively exploited, Fortinet has recommended checking for the following string in your device’s logs:

user=” Local_Process_Access”

If this string is in your logs, it could indicate that your device has been compromised.

Security researchers at have shared some more indicators of compromise alongside a technical explanation for this vulnerability, which can be found here.

If you cannot update your systems, Fortinet has included workarounds to protect against attackers exploiting this bug in their security advisory.

All affected products (FortiProxy, FortiSwitchManager, and FortiOS) can disable the HTTP/HTTPS administrative interface as a workaround.

FortiOS and FortiProxy can also limit the IP addresses that can reach the administrative interfaces to prevent unauthorized access. Fortinet has provided the commands to do so in its security advisory.

Related Links: