Finding FortiOS, FortiProxy, and FortiSwitchManager assets on your network

(updated ), by Pearce Barry

News surfaced late last week of a critical authentication bypass vulnerability present in the web administration interface of some Fortinet products. Successful exploitation of this vulnerability (tracked as CVE-2022-40684) via crafted HTTP and HTTPS requests can provide remote attackers with admin-level command execution on vulnerable FortiOS devices including FortiGate firewalls, FortiProxy web proxies, and FortiSwitchManager assets.

What is the impact? #

With a CVSS critical score of 9.6, attackers running admin-level commands on compromised assets may have the ability to persist presence, explore connected internal networks, and exfiltrate data. Fortinet is aware of at least one exploit of this vulnerability in the wild, and Bleeping Computer offered a Shodan search showing more than 140k publicly accessible FortiGate devices which may be running vulnerable FortiOS. Additionally, security researchers with are planning on publishing an exploit PoC this week. For admins wanting to check if a FortiOS/FortiProxy/FortiSwitchManager asset has been exploited, Fortinet does provide an indicator of compromise (see the “Exploitation Status” section).

Are updates available? #

Fortinet has called out the vulnerable FortiOS, FortiProxy, and FortiSwitchManager versions in their advisory and has made updates available for affected products. Admins should ensure that affected models are updated to the latest version as soon as possible. If updates cannot be completed in the near term, Fortinet does provide some mitigation steps (see the “Workaround” section) that can be taken to secure vulnerable assets.

How do I find potentially vulnerable FortiOS, FortiProxy, and FortiSwitchManager assets with runZero? #

From the Asset Inventory, use the following pre-built query to locate FortiOS, FortiProxy, and FortiSwitchManager assets that may need remediation:

os:FortiOS or product:FortiProxy or product:FortiSwitchManager
The prebuilt query is available in the Queries Library

As always, any prebuilt queries are available from our Queries Library. Check out the library for other useful inventory queries.

Get runZero for free

Don’t have runZero and need help finding potentially vulnerable FortiOS, FortiProxy, or FortiSwitchManager assets?

Start your runZero trial
Join our team
Pearce Barry
Written by Pearce Barry

Pearce Barry is a Director of Security Research at runZero. Barry joined runZero in June 2021, working on the Metasploit Project the four years prior. Now, Pearce leads research efforts at runZero, which includes creating and improving fingerprints, adding to protocols, enhancing scanning logic, and writing queries.

Similar Content

September 29, 2023

How to find WS_FTP Server instances?

How to find WS_FTP Server instances? # On September 27th, Progress Sofware announced eight vulnerabilities in the WS_FTP Server software. These issues can lead to a full compromise of exposed WS_FTP systems and their data through the FTP, SSH, and web management services, …

Read More

September 26, 2023

How to find TeamCity instances

How to find TeamCity assets? # On September 20th, JetBrains announced a critical authentication bypass vulnerability that impacts users running the TeamCity On-Premises product. The vulnerability is being tracked using CVE-2023-42793 and presents the weakness of CWE-288 …

Read More

September 12, 2023

How to find OpenSSL 1.1 instances

How to find OpenSSL 1.1 instances # On September 11th, the venerable OpenSSL 1.1.1 reached its end of life date. That means that it will no longer be receiving publicly-available security fixes. Users without a third-party extended support contract will no longer receive …

Read More