Today Fortinet announced a critical authentication bypass in its FortiGate products that could lead to administrator access. This vulnerability, CVE-2022-40684, has been patched and admins are advised to upgrade or implement workaround safeguards immediately.
The communications Fortinet sent to customers indicate that the newer FortiOS 7 releases are vulnerable and have stated the safe versions to use:
| Product | Vulnerable Versions | Fixed Version |
|---|---|---|
| FortiOS (Fortigate) |
7.0.0 to 7.0.6 7.2.0 to 7.2.1 |
7.0.7 7.2.2 |
The workaround is to ensure HTTPS management is disabled on public or untrusted interfaces, or to create trust lists of IPs that are permitted to access the management page.
Clients of Advanced Data that are on our Flat Fee IT or Hosted Firewall offerings have been remediated by either the patch or the trust list methods.