Fortinet is urging customers to patch a critical authentication bypass vulnerability that has already been exploited in the wild.
Earlier this month, the networking vendor patched the bug, CVE-2022-40684, found in its FortiOS network operating system, FortiProxy secure web proxy, and FortiSwitchManager management platform projects.
The vulnerability allows an unauthenticated attacker to add an SSH key to the admin user, enabling potential miscreants to hack the administrative interface using specially crafted HTTP or HTTPS requests.
The issue affects FortiOS versions from 7.0.0 to 7.0.6 and from 7.2.0 to 7.2.1, FortiProxy versions from 7.0.0 to 7.0.6 and 7.2.0, and FortiSwitchManager versions 7.0.0 and 7.2.0.
Full article: https://portswigger.net/daily-swig/critical-authentication-bug-in-fortinet-products-actively-exploited-in-the-wild
