CVE-2022-40684 Detection

Heads up! A new critical vulnerability is on the radar. Fortinet has recently disclosed an authentication bypass vulnerability in its FortiOS, FortiProxy, and FortiSwitchManager appliances. The security flaw tracked as CVE-2022-40684 is actively exploited in the wild, posing a serious risk to Fortinet’s customers leveraging vulnerable product instances.

Detect CVE-2022-40684 Exploitation Attempts

In view of proof-of-concept (PoC) exploits actively circulating the web, timely detection and proactive cyber defense are critical to protecting organizational infrastructure against emerging attacks. To leave no chance for attacks to go undetected, SOC Prime’s Detection as Code Platform curates a batch of dedicated Sigma rules developed by the SOC Prime Team and our seasoned Threat Bounty developers Sittikorn Sangrattanapitak, Onur Atali, and Nattatorn Chuensangarun.

The detections are compatible with 18 SIEM, EDR, and XDR solutions and are aligned with the MITRE ATT&CK® framework addressing the Initial Access, Lateral Movement, and Defense Evasion, with Exploit Public-Facing Applications (T1190), Exploitation of Remote Services (T1210), and Valid Accounts (T1078) as corresponding techniques.

Join our Threat Bounty Program to monetize your Sigma and ATT&CK knowledge while making the world a safer place. Get rewards for Threat Detection, Threat Hunting, and Incident Response algorithms submitted to our Detection as Code platform. Enhance your hard skills and expertise, visible to the cybersecurity community through our Author’s page. 

Hit the Explore Detections button to instantly access Sigma rules for CVE-2022-40684, corresponding threat intelligence links, MITRE ATT&CK references, threat hunting ideas, and detection engineering guidance.

Explore Detections

CVE-2022-40684 Analysis 

Just a month after ProxyNotShell loudly entered the cyber threat arena, a novel critical security vulnerability in Fortinet’s products causes a stir posing a significant threat to 150,000 customers across the globe leveraging potentially compromised software. Fortinet has released security updates covering the details of the revealed vulnerability, the list of affected products, and solutions to mitigate the threat. The critical vulnerability tracked as CVE-2022-40684 enables threat actors to log in as administrators on the compromised system of Fortinet’s FortiGate firewalls, FortiProxy web proxies, and FortiSwitch Manager devices. The reported vulnerability is being actively exploited in the wild. 

Cybersecurity researchers have recently released a PoC exploit now publicly available on GitHub along with the technical root cause analysis of the disclosed security flaw. This POC leverages the critical Fortinet auth bypass bug to set an SSH key for the specific user. According to the provided investigation, after exploiting the vulnerability to bypass authentication, attackers can perform malicious operations on the administrative interface using specifically generated HTTP or HTTPS requests, including modifying network settings, adding new users, and initiating packet captures. Similarly to other newly revealed enterprise software security flaws, like F5 and VMware vulnerabilities, the exploit for CVE-2022-40684 follows a common pattern where HTTP headers are wrongly validated. 

After the vulnerability disclosure and evidence on the ongoing in-the-wild attacks, CISA has also added CVE-2022-40684 to the list of the Known Exploited Vulnerabilities Catalog, mentioning that the reported security flaw poses significant risks to federal enterprises.

As mitigation measures and security workarounds for remediating the threat, Fortinet advisory recommends disabling the HTTP/HTTPS admin interface or limiting the IP address that can access the latter. Customers are also highly recommended to upgrade their potentially vulnerable software to the latest versions. 

Due to the growing numbers of ongoing attacks exploiting CVE-2022-40684 and exposing up to 150,000 potentially compromised Fortinet devices to severe risks, timely detection is a must. Obtain 700 Sigma rules for all known vulnerabilities to always stay ahead of attackers! Instantly reach 120+ rules for free or get the entire detection stack with On Demand at

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts