Horizon3.ai researchers have released a PoC exploit for CVE-2022-40684, the authentication bypass vulnerability affecting Fortinet‘s firewalls and secure web gateways, and soon after exploitation attempts started rising.
“[On Thursday], the Wordfence Threat Intelligence team began tracking exploit attempts targeting CVE-2022-40684 on our network of over 4 million protected websites,” Wordfence threat analyst Ram Gall shared.
They have recorded several exploit attempts and requests from over 20 IP addresses, but most of those were attempts to discover whether a Fortinet appliance is in place.
“However, we also found that a number of these IPs are also sending out PUT requests matching the recently released proof of concept (…) which attempts to update the public SSH key of the admin user.”
Greynoise has also been tracking CVE-2022-40684 exploit attempts, and noticed them coming from an increasing number of IP addresses.
It is unknown who first discovered the existence of CVE-2022-40684, but Fortinet spotted it being exploited in the wild, created patches, and privately urged customers to implement them before going public with the information.
Horizon3.ai researchers created an exploit after analyzing the differences between the vulnerable and the patched firmware, but refrained from publishing it for a few days, to give admins time to patch or implement workarounds.
On Thursday, they released the PoC along with a post detailing what caused the bug.
Since then, others have released PoCs and, as already noted, exploitation attempts have begun surfacing.
Fortinet, Horizon3.ai and Wordfence have provided indicators of compromise for those who want to check whether their devices got popped before they managed to patch – or haven’t yet patched.
Though, as security researcher Kevin Beaumont noted, many organizations probably haven’t patched yet – but there’s a silver lining:
Yeah I have reason to believe most orgs haven’t patched. But the good news is it’s v7.x of the product vuln, and most of the boxes online haven’t reached there yet, most on EOL versions.
— Kevin Beaumont (@GossiTheDog) October 13, 2022