Vulnerable Fortinet Special Report

LAST UPDATED: 2022-10-14

Introduction

This one-time Special Report contains information about Fortinet devices likely vulnerable to a critical authorization bypass CVE-2022-40684. We see this vulnerability exploited in the wild.

The report is sourced from LeakIX.

The 2022-10-14 report contains 17415 unique, potentially vulnerable IPs.

Mitigation

If you have not applied the patch when it was published on Oct 10th 2022 and you were exposing the administrative interface to the Internet, it is possible that your FortiOS/FortiProxy/FortiSwitchManager has been compromised already, as exploitation has been observed. Make sure to investigate for signs of compromise in accordance with best practices.

Do not expose your Fortinet device management interface to the public Internet. Use firewalling to block traffic and make sure to patch and follow Fortinet guidance.

About Special Reports

Shadowserver Special Reports are unlike all of our other standard free daily network reports.

Instead, we send out Special Reports in situations where we  share one-time, high value datasets that we feel should be reported responsibly for maximum public benefit, such as in cases where we have a critical new vulnerability being exploited against potentially high value targets.

Note that the data shared across special reports may differ on a case by case basis hence the report formats for different Special Reports may be different.

Filename: 2022-10-14-special

 

 

Fields

  • timestamp
    Timestamp when the IP address was seen, in UTC+0
  • ip
    IP address of the affected device
  • port
    TCP port identified
  • protocol
    Protocol
  • asn
    Autonomous System Number of the affected device
  • geo
    Country of the affected device
  • region
    Region of the affected device
  • city
    City of the affected device
  • hostname
    Hostname of the affected device (may be from reverse DNS)
  • naics
    North American Industry Classification System Code
  • sector
    Sector of the IP in question
  • tag
    Tag set to cve-2022-40684
  • public_source
    Source of the data
  • status
    Set to critical
  • method
    Not used
  • device_vendor
    Set to Fortinet

Sample

timestamp","ip","port","protocol","asn","geo","region","city","hostname","naics","sector","tag","public_source","status","method","device_vendor"
"2022-10-13 23:38:39","62.173.x.x",443,"tcp",29091,"NG","LAGOS","LAGOS","62.173.61.218",541191,,"cve-2022-40684","LeakIX","critical",,"Fortinet"
"2022-10-13 23:39:58","199.58.x.x",444,"tcp",16438,"CA","QUEBEC","JOLIETTE","199.58.238.114",,,"cve-2022-40684","LeakIX","critical",,"Fortinet"
"2022-10-13 23:40:14","96.9.x.x",443,"tcp",131207,"KH","PHNOM PENH","PHNUM PENH","96.9.74.66",,,"cve-2022-40684","LeakIX","critical",,"Fortinet"

Our 130 Report Types