FortiOS / FortiProxy Authentication Bypass on Administrative Interface
An authentication-bypass vulnerability in FortiOS, FortiProxy, and FortiSwitchManager allows a remote attacker to perform administrative operations on the management interface via crafted HTTP(S) requests, including adding a new administrator SSH key for persistent access.
- Vendor
- Fortinet
- Product
- FortiOS / FortiProxy
- CVSS
- N/A
- Status
- kev
- Published
CVE-2022-40684 is an authentication-bypass vulnerability affecting FortiOS, FortiProxy, and FortiSwitchManager’s administrative interface, disclosed by Fortinet on October 10, 2022, alongside a warning that it was already being exploited in the wild. By sending specially crafted requests to the management interface, an unauthenticated remote attacker could perform administrative actions — most dangerously, adding their own SSH public key to an account, granting persistent access that would survive a password change.
Why it mattered
Fortinet’s FortiGate firewalls and FortiProxy appliances are perimeter and VPN gateway devices — exactly the kind of internet-facing infrastructure that, once an attacker gains administrative control, becomes a foothold for deeper network intrusion. Fortinet notified select customers privately ahead of the public advisory given evidence of active targeting, an unusual step reflecting the severity of exploitation already underway.
Because attackers could plant SSH keys for persistence, Fortinet’s remediation guidance went beyond simple patching: administrators were told to treat any potentially exposed device as compromised and audit for unauthorized admin accounts or SSH keys, not just apply the fix. The vulnerability was added to CISA’s KEV catalog with an expedited deadline. Full technical detail is in Fortinet’s PSIRT advisory (FG-IR-22-377) and at the NVD link above.
