Critical Authentication Bypass in Fortinet Products (CVE-2022-40684): Analysis and Mitigation

A critical authentication bypass vulnerability (CVE-2022-40684) affecting Fortinet’s FortiOS, FortiProxy, and FortiSwitchManager has been actively exploited since late 2024. With a CVSS score of 9.6, this flaw allows remote attackers to gain super-admin privileges without credentials, posing significant risks to network security.

Executive Summary for Security Leaders

The vulnerability enables attackers to bypass authentication by crafting HTTP/HTTPS requests with spoofed headers. Successful exploitation leads to full system compromise, including configuration tampering and backdoor creation. Fortinet confirmed active exploitation in December 2024, with Arctic Wolf observing mass attacks in 2025 targeting unpatched systems.

• Affected Versions: FortiOS 7.0.0–7.0.6/7.2.0–7.2.1, FortiProxy 7.0.0–7.0.6/7.2.0, FortiSwitchManager 7.0.0/7.2.0
• Exploit Method: Spoofed Forwarded header with User-Agent: Report Runner
• Impact: Remote super-admin access, SSH key injection, data exfiltration
• Patch Status: Fixed in FortiOS 7.0.7+, 7.2.2+; FortiProxy 7.0.7+, 7.2.1+; FortiSwitchManager 7.0.1+, 7.2.1+

Technical Analysis

The vulnerability (CWE-288) occurs due to improper validation of the Forwarded HTTP header. Attackers can spoof requests as originating from localhost (for="[127.0.0.1]") when combined with the specific user agent. This bypasses all authentication checks, granting administrative privileges.

Metasploit includes a module (added October 2022) that demonstrates SSH key injection for persistent access. Horizon3’s analysis confirms attackers can:

“Create arbitrary admin accounts, modify network configurations, and exfiltrate sensitive data through crafted API requests.”

Fortinet’s advisory provides a workaround using local-in-policy rules to restrict administrative interface access:

config firewall local-in-policy
  edit 1
    set intf port1
    set srcaddr "MGMT_IPs"
    set action accept
    set service HTTPS HTTP
  next
  edit 2
    set intf "any"
    set srcaddr "all"
    set action deny
end

Detection and Response

Organizations should monitor for:

• Unauthorized admin accounts (e.g., fortigate-tech-support)
• SSH key modifications in system logs
• HTTP requests containing User-Agent: Report Runner

Belsen Group’s 2025 leak of 15,000 device configurations highlights the long-term risks of unpatched systems. CISA added this vulnerability to its Known Exploited Vulnerabilities Catalog, mandating remediation for federal agencies.

Conclusion

CVE-2022-40684 remains a high-risk vulnerability due to its ease of exploitation and critical impact. Organizations using affected Fortinet products should prioritize patching or implement strict access controls. Continuous monitoring for anomalous administrative activities is recommended even after remediation.

References

1. Fortinet PSIRT Advisory FG-IR-22-377, Oct. 2022.
2. Metasploit Exploit Module, Rapid7, Oct. 2022.
3. Horizon3 Technical Analysis, Nov. 2022.
4. CISA Known Exploited Vulnerabilities Catalog, updated 2025.
5. “Fortinet Confirms Critical Zero-Day”, Infosecurity Magazine, Dec. 2024.