CVE-2022-40684 PoC — Fortinet FortiOS 授权问题漏洞

Source

https://github.com/TaroballzChen/CVE-2022-40684-metasploit-scanner

Associated Vulnerability

Title:Fortinet FortiOS 授权问题漏洞 (CVE-2022-40684)
Description:An authentication bypass using an alternate path or channel [CWE-288] in Fortinet FortiOS version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy version 7.2.0 and version 7.0.0 through 7.0.6 and FortiSwitchManager version 7.2.0 and 7.0.0 allows an unauthenticated atttacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.

Description

An authentication bypass using an alternate path or channel in Fortinet product

Readme

# CVE-2022-40684-metasploit-scanner
An authentication bypass using an alternate path or channel in Fortinet product

# preparation POC
```cmd
git clone https://github.com/TaroballzChen/CVE-2022-40684-metasploit-scanner
cd CVE-2022-40684-metasploit-scanner
mkdir -p ~/.msf4/modules/auxiliary/scanner/http
cp fortinet_product_auth_bypass.py ~/.msf4/modules/auxiliary/scanner/http/
chmod +x ~/.msf4/modules/auxiliary/scanner/http/fortinet_product_auth_bypass.py
msfconsole
```

# POC usage
```text
set rhosts <vuln ip/host>
set rport <vuln port>
set rssl <default: true for https>
set username <default: admin>
exploit
```

# result
![poc](poc.png)

# reference
- https://www.fortiguard.com/psirt/FG-IR-22-377
- https://github.com/horizon3ai/CVE-2022-40684
- https://github.com/carlosevieira/CVE-2022-40684
- https://github.com/Chocapikk/CVE-2022-40684

File Snapshot

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!