A communication has been sent by Fortinet to their customers confirming a critical severity vulnerability in FortiOS and FortiProxy. The global cyber security company have warned administrators to update FortiGate firewalls and FortiProxy web proxies to the latest available versions to address this vulnerability. Although a full security advisory has not been released yet for this flaw, it is expected Fortinet will include this in their monthly report expected this week. Affected versions include FortiOS versions from 7.0.0 to 7.0.6, and from 7.2.0 to 7.2.1, and FortiProxy versions from 7.0.0 to 7.0.6, and 7.2.0, but earlier versions are not affected.  

The vulnerability tracked as CVE-2022-40684 has been assigned a critical severity rating, and a CVSS score of 9.6/10. An exploit of this vulnerability has not yet been identified in the wild, but it is expected that POC (Proof of Concept) code will be released soon. Fortinet vulnerabilities, specifically those in FortiOS, are heavily targeted by attackers, so remediations should be put in place as soon as possible, even without a known public exploit. Unauthenticated attackers could use an alternate path or channel (CWE-88) to send specially crafted HTTP or HTTPS requests that access the administrative interface. This would allow them to perform administrator level operations based on the requests they send. 

 A patch exists for this vulnerability, so users are encouraged to update to FortiOS versions 7.0.7 or 7.2.2 or above, and FortiProxy versions 7.0.7 or 7.2.1 or above. Suggested workaround have also been provided by Fortinet in their customer support bulletin, and by third parties on the Fortinet community forum. Disabling the internet facing HTTPS administration can prevent an exploit however this is not a permanent solution. Notes on how to do this can be found on the Fortinet Hardening Guide. It is also possible to apply a firewall policy to local-in-traffic to restrict or apply an IP allowlist.