Multiple services that allowed threat actors remote access and was being abused in the wild have been patched in Fortinet.
The flaw in a security advisory published late last week described it as a security bypass on the admin interface, which allows unauthenticated individuals to log into FortiGate firewalls, FortiProxy web proxies (opens in a new tab) and FortiSwitch Manager on-prem management instances.
The defect is being investigated as CVE-2022-40684.
Urgent matters
"In FortiOS, FortiProxy, and FortiSwitchManager, an alternative path or channel vulnerability may allow an unauthenticated attacker to perform operations on the administrative interface, according to Fortinets'' announcement.
The company said the patch was released this Thursday and added that it issued an email to some of its customers, urging them to disable remote management user interfaces with the most pressing need.
A couple of days after releasing the patch, the company made out more details, claiming that it discovered evidence of at least one real-life program tackling the problem.
"Fortinet is aware of an instance where this vulnerability was exploited, and advises immediately validating your systems against the following indicator of compromise in the device''s logs: user="Local_Process_Access"
These are the Fortinet products that should be patched immediately:
According to BleepingComputer, at least 140,000 FortiGate firewalls (opens in a new tab) may be accessed via the internet and may be exposed to attacks, especially if their admin interfaces are also exposed. Those who are not able to patch their endpoints should stop using HTTP/HTTPS admin interfaces or limit the IP addresses that have access via Local in Policy, according to the report.
"If these devices cannot be redesigned in a timely manner, the internet-facing HTTPS Administration should be immediately deactivated until the upgrade is accomplished," says Fortinet.
- These are the best business VPNs (opens in new tab) out there