## https://sploitus.com/exploit?id=E8033F3F-24AB-5402-AEA7-5583EDDC76C9
# CVE-2022-40684-POC
CVE-2022-40684, affecting multiple #Fortinet solutions, is an auth bypass that allows remote attackers to execude code via rest api
# details:
The recent FortiOS / FortiProxy / FortiSwitchManager CVE has been reportedly exploited in the wild.
The exploit can be used with any HTTP method (GET, POST, PUT, DELETE, etc).
and using the /api/v2 (rest api) request can getting the admin ssh keys changed for achieving the code execution
the exploit is straight and simple(maybe complicated for someone) any device with administrative interface exposed
to internet is in danger of been pwnd with a simple http request and achieving the code execution
all workaround is here below.
all the necessary infos and technical deep dive into the vulnerablity you can find inside the PoC.pdf
the CVE-2022-40684.py is the script which exploiting the vulnerablity and add ssh keys for admin/user
command execution.
</p>
here is the link for download the exploit [CVE-2022-40684.py](https://bit.ly/3esvBuE)
![PoC](/poc.png)
## Workaround:
# FortiOS:
- Disable HTTP/HTTPS administrative interface
OR
- Limit IP addresses that can reach the administrative interface:
```
config firewall address
edit "my_allowed_addresses"
set subnet <MY IP> <MY SUBNET>
end
Then create an Address Group:
config firewall addrgrp
edit "MGMT_IPs"
set member "my_allowed_addresses"
end
Create the Local in Policy to restrict access only to the predefined group on management interface (here: port1):
config firewall local-in-policy
edit 1
set intf port1
set srcaddr "MGMT_IPs"
set dstaddr "all"
set action accept
set service HTTPS HTTP
set schedule "always"
set status enable
next
edit 2
set intf "any"
set srcaddr "all"
set dstaddr "all"
set action deny
set service HTTPS HTTP
set schedule "always"
set status enable
end
```
- If using non default ports, create appropriate service object for GUI administrative access:
```
config firewall service custom
edit GUI_HTTPS
set tcp-portrange <admin-sport>
next
edit GUI_HTTP
set tcp-portrange <admin-port>
end
```
- Use these objects instead of "HTTPS HTTP "in the local-in policy 1 and 2 below.
# FortiProxy:
- Disable HTTP/HTTPS administrative interface
OR
- Limit IP addresses that can reach the administrative interface (here: port1):
```
config system interface
edit port1
set dedicated-to management
set trust-ip-1 <MY IP> <MY SUBNET>
end
```