Fortinet has privately warned customers of a security flaw affecting FortiGate firewalls and FortiProxy web proxies that could allow attackers to perform unauthorized actions on susceptible devices.
tracked as CVE-2022-40684 (CVSS score: 9.6), the critical flaw is Authentication Bypass Vulnerability This could allow an unauthenticated adversary to perform arbitrary operations on the management interface via specially crafted HTTP(S) requests.
This issue affects the following versions and is addressed in FortiOS versions: 7.0.7 When 7.2.2and FortiProxy versions 7.0.7 When 7.2.1 Released this week:
- FortiOS – 7.0.0 to 7.0.6 and 7.2.0 to 7.2.1
- FortiProxy – 7.0.0 to 7.0.6 and 7.2.0
“Due to the remote exploitability of this issue, Fortinet strongly recommends that all customers using vulnerable versions upgrade immediately,” the company said. warned In an alert shared by a security researcher who goes by the alias Gitworm on Twitter.
As a temporary workaround, the company advises users to disable Internet-facing HTTPS management or apply firewall policies until the upgrade takes place.local in traffic.”
When asked for comment, Fortinet acknowledged the recommendation and said it would delay public notice until customers apply the fix.
“Timely and ongoing communication with our customers is a key factor in maximizing the protection and protection of their organizations,” the company said in a statement shared with The Hacker News. โCommunications with our customers often detail our latest guidance and recommended next steps to best protect and protect our organization.โ
โConfidential advance customer communications may include early warning of recommendations to enable customers to further strengthen their security posture. This will be made available to a wider audience in the coming days. Customer security is our number one priority.”
