FortiOS Auth Bypass: Why Fortinet Warned Select Customers Before Going Public
CVE-2022-40684 let attackers bypass authentication on FortiOS and FortiProxy management interfaces and plant persistent SSH keys — Fortinet quietly warned targeted customers before public disclosure.
Vendors usually disclose a vulnerability to everyone at once. When Fortinet found evidence CVE-2022-40684 was already being exploited against specific customers, it broke from that pattern — quietly warning a targeted subset before the public advisory went out on October 10, 2022.
What the vulnerability does
The flaw is an authentication bypass affecting the administrative interface of FortiOS, FortiProxy, and FortiSwitchManager. By sending specially crafted requests to the management interface, an unauthenticated remote attacker could perform administrative actions without valid credentials. The most consequential of those actions: adding a new SSH public key to an administrative account, giving the attacker persistent access that would survive a subsequent password reset — since the key, not a password, is what grants access.
Why the private warning mattered
Fortinet’s decision to privately notify select customers ahead of the public disclosure reflected genuine urgency: the company had evidence of active, apparently targeted exploitation before the advisory went public, and wanted at-risk customers patched before attackers could act on the now-public technical details. It’s an unusual step for a vendor and a signal, in hindsight, of how seriously Fortinet treated the in-the-wild activity.
Why it mattered broadly
FortiGate firewalls and FortiProxy appliances are perimeter devices — the boundary between an organization’s internal network and the internet, and often the VPN gateway for remote access as well. A management-plane compromise here is a foothold for deeper intrusion, not just a device-level problem. Because attackers could plant SSH keys for persistence, Fortinet’s remediation guidance went further than “apply the patch”: administrators were told to audit for unauthorized admin accounts and unrecognized SSH keys on any potentially exposed device, treating exposure as presumed compromise rather than assuming a clean patch fixed everything.
What administrators should do
Apply Fortinet’s patched FortiOS/FortiProxy releases, restrict management-interface access to trusted networks, and audit administrative accounts and SSH keys for anything unrecognized — patching alone does not remove a key an attacker already planted. CISA added the CVE to its KEV catalog with an expedited deadline. Full technical detail is in Fortinet’s PSIRT advisory (FG-IR-22-377) and the NVD entry.
This article describes the vulnerability’s impact and official mitigation guidance only — it does not include exploit code or step-by-step attack instructions.
Found this useful? Share it.