Fortinet released updates for the exploited Authentication Bypass Vulnerability CVE-2022- 40684 giving details of mitigation guidance for vulnerable products.
• Fortinet released a software update that indicates latest versions of their FortiOS (firewall) and FortiProxy (web proxy) software are vulnerable to CVE- 2022-40684.
• CVE-2022-40684 is an authentication bypass using an alternate path or channel [CWE-288] in Fortinet FortiOS version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy version 7.2.0 and version 7.0.0 through 7.0.6 and FortiSwitchManager version 7.2.0 and 7.0.0 allows an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.
• Fortinet has urged organisations to take immediate upgrading actions.
• This advisory updates the guidance given in Sequretek advisory SQTK/ADV/0074