Details and a proof-of-concept (PoC) exploit have been published for the recent Fortinet vulnerability tracked as CVE-2022-40684, just as cybersecurity firms are seeing what appears to be the start of mass exploitation attempts.
Fortinet privately informed some customers last week about the availability of patches and workarounds for a critical authentication bypass vulnerability exposing some devices to remote attacks.
The security hole allows an unauthenticated attacker to remotely perform unauthorized operations on an appliance’s admin interface using specially crafted requests. Exploitation is not difficult and it can lead to a full device takeover.
On Monday, the company made public an advisory and confirmed that the zero-day flaw had been exploited in at least one attack.
This suggested that the attack observed by Fortinet was likely the work of a sophisticated — likely state-sponsored — threat actor. However, as more details are coming to light, it’s increasingly likely that CVE-2022-40684 will be widely exploited.
Penetration testing company Horizon3.ai has made public a PoC exploit that allows an attacker to add an SSH key to the admin user, enabling the attacker to access the targeted system with administrator privileges. The firm has also released technical details, and others have created templates for vulnerability scanners.
There have been several reports over the past day indicating that scanning for systems affected by CVE-2022-40684 is underway. Threat intelligence firm GreyNoise has seen exploitation attempts coming from more than 40 unique IPs in the past 24 hours.
WordPress security company Defiant has also seen exploitation attempts, coming from nearly two dozen IPs.