Fortinet officials and security researchers warned that attacks have rapidly escalated against the company’s firewall and web proxy software. A large number of customers have failed to upgrade their systems since notifications were sent in early October.
“After multiple notifications from Fortinet over the past week, there are still a significant number of devices that require mitigation, and following the publication of an outside party of PoC (proof of concept) code, there is active exploitation of this vulnerability,” Carl Windsor, senior vice president, product technology and solutions, said in a blog post.
Fortinet disclosed the authentication bypass vulnerability in FortiOS, FortiProxy and FortiSwitchManager products, tracked as CVE-2022-40684, on Oct. 3. The vulnerability allows a remote attacker to conduct operations on an administrative interface using specially crafted HTTP or HTTPs messages.
The Cybersecurity and Infrastructure Security Agency later added the vulnerability to its Known Exploited Vulnerabilities Catalog.
Cybersecurity firm Horizon3.ai said it does not track exploit activity in the wild, but it has been tracking publicly available data from GreyNoise. The number of unique IPs using the exploit has gone from single digits, when the vulnerability was originally announced, to about 200.
“We expect the number of unique IPs using this exploit to significantly increase in the coming days,” Zach Hanley, chief attack engineer at Horizon3.ai, said via email Friday. “It is not hard for attackers to find vulnerable systems.”
Researchers from Rapid7 published additional analysis on Friday. Caitlin Condon, senior manager, software engineering at Rapid7, pointed out the public proof of concept overrides the targets admin SSH key, “which isn’t ideal if you’re testing the exploit in a corporate environment or a client engagement.”