Network company Fortinet warns organizations to immediately patch a critical vulnerability in FortiOS and FortiProxy The vulnerability, designated CVE-2022-40684, could allow an unauthenticated attacker to access the administrative interface and perform various actions. FortiOS is Fortinet's operating system that runs on all kinds of network devices, such as firewalls and switches.
Due to the fact that an attacker can remotely exploit the vulnerability and no credentials are required, Fortinet requests that the made available security updates be installed immediately. Fortinet has not yet released many details about the vulnerability. For example, the CVE number is mentioned in the release notes of FortiOS 7.2.2, but without further information (pdf). Readers of Reddit discovered the vulnerability in the overview. For users with a FortiCloud account, a bulletin has been published with more details.
The vulnerability is present in FortiOS from 7.0.0 to 7.0.6 and from 7.2.0 to 7.2.1. FortiProxy versions 7.0.0 through 7.0.6 and 7.2.0 are also vulnerable. FortiGate users can upgrade to FortiOS version 7.0.7 or 7.2.2. Versions 7.0.7 and 7.2.1 are available for FortiProxy.