Authentication Bypass in Fortinet FortiOS, FortiProxy, and FortiSwitchManager Administrative Interface

This repository is a small standalone Python exploit/assessment tool for CVE-2022-40684 affecting Fortinet FortiGate/FortiOS devices. The repository contains one primary code file (fortigate_tool.py), a README, dependency list, license, and .gitignore. The script is the clear entry point and uses requests, urllib3, argparse, json, os, and prettytable. Core exploit logic: the tool sends HTTPS requests to FortiGate CMDB API endpoints while setting crafted headers (Forwarded and X-Forwarded-For with 127.0.0.1, plus User-Agent: Report Runner). This is consistent with public exploitation patterns for CVE-2022-40684 authentication bypass. TLS verification is disabled. The script first checks likely vulnerability by requesting /api/v2/cmdb/system/admin and treating HTTP 200 with a results field as success. Capabilities implemented: - Vulnerability validation against /api/v2/cmdb/system/admin - Enumeration of admin users, local users, and user groups - Arbitrary endpoint dumping via --dump - Bulk configuration extraction via --dump-all from multiple sensitive CMDB endpoints - Unauthorized privileged account creation via POST to /api/v2/cmdb/system/admin with accprofile set to super_admin The dump-all feature targets numerous high-value configuration areas including system settings, interfaces, zones, local/LDAP/RADIUS users, firewall objects and policies, VPN settings, routes, and logging configuration. Responses are written locally under fortigate_dump/ as JSON or raw text. This is not merely a detector: it includes active post-bypass actions and a write capability (admin creation), making it a real exploit tool rather than a simple scanner. It is operational but not highly modular or framework-based; payloads and behavior are hardcoded and driven by command-line flags.

This repository provides a proof-of-concept (PoC) exploit for CVE-2022-40684, a critical authentication bypass vulnerability affecting Fortinet FortiOS, FortiProxy, and FortiSwitchManager. The repository contains a Python script (exploit.py) that sends specially crafted HTTP GET requests to the target's administrative API endpoints, using specific headers to exploit the authentication bypass. If the target is vulnerable, the script extracts and displays admin usernames, access levels, device serial number, version, and LDAP configuration details. The repository also includes a Nuclei YAML template (CVE-2022-40684.yaml) for automated vulnerability scanning, a README with usage instructions, and some update log files. The exploit is read-only and does not modify the target, focusing on information disclosure. The main attack vector is network-based, targeting the administrative web interface of Fortinet devices.

This repository is a Rust-based exploit tool targeting Fortinet FortiOS devices vulnerable to CVE-2022-40684. The exploit works by sending a crafted HTTPS PUT request to the FortiOS management API endpoint (/api/v2/cmdb/system/admin/admin) with custom headers and a JSON body containing the attacker's SSH public key. If the target is vulnerable, the key is added to the admin account's authorized_keys, granting the attacker SSH access as admin. The tool takes a list of target IP addresses and a public key file as input, attempts the exploit in parallel across all targets, and reports which hosts were successfully compromised. The codebase is structured with a main entry point (src/main.rs), the core exploit logic (src/cve.rs), and a test harness (tests/integration_test.rs). No hardcoded credentials or fake payloads are present; the exploit is operational and automates a real-world attack scenario.

This repository contains a Python proof-of-concept exploit for CVE-2022-40684, an authentication bypass vulnerability affecting Fortinet FortiProxy and FortiOS devices. The main script, 'CVE-2022-40684.py', automates the exploitation process by reading a list of target URLs, usernames, and an attacker's SSH public key from files. For each target and username, it sends a crafted HTTP PUT request to the '/api/v2/cmdb/system/admin/<username>' endpoint, attempting to inject the attacker's SSH public key into the admin account. If successful, this grants the attacker SSH access to the device. The exploit requires network access to the vulnerable device's API and is operational, as it performs the actual key injection. The repository also includes a README with usage instructions and a LICENSE file.

This repository is a proof-of-concept exploit for CVE-2022-40684, a critical authentication bypass vulnerability affecting Fortinet FortiOS, FortiProxy, and FortiSwitchManager appliances. The main exploit script (exploit.py) allows an attacker to add their SSH public key to the admin user (or another specified user) on a vulnerable device by abusing an unauthenticated REST API endpoint. The script supports both single-target and mass exploitation (via a list of targets), and can provide an interactive SSH shell if the key is successfully injected. The exploit works by sending a crafted HTTP PUT request to the /api/v2/cmdb/system/admin/{username} endpoint with a JSON payload containing the attacker's SSH key. If successful, the attacker gains SSH access to the device. The repository also includes a parser script (parser_zoomeye.py) for processing Zoomeye search results, and a requirements.txt file listing dependencies (paramiko, requests, rich). The README provides detailed usage instructions, affected product versions, and mitigation advice. The exploit is operational and provides real post-exploitation access, but is not part of a larger framework.

This repository contains an exploit for CVE-2022-40684, a critical authentication bypass vulnerability affecting Fortinet FortiGate devices. The main file, exp.py, is a Python script that allows an attacker to upload their own SSH public key to the admin account of a vulnerable device by sending a crafted HTTP PUT request to the /api/v2/cmdb/system/admin/admin endpoint. The script supports both single-target and batch exploitation modes, reading targets from a file if specified. After attempting the exploit, it checks if the SSH port (22) is open, indicating successful key upload and potential SSH access. The README provides usage instructions and context for identifying FortiGate devices. The exploit is operational, requiring a valid SSH public key and access to the vulnerable API endpoint.

This repository contains a Metasploit auxiliary scanner module (fortinet_product_auth_bypass.py) targeting CVE-2022-40684, an authentication bypass vulnerability in several Fortinet products (FortiOS, FortiProxy, FortiSwitchManager). The exploit is written in Python and designed to be used within the Metasploit framework. It works by sending specially crafted HTTP(S) requests with manipulated headers to administrative API endpoints, bypassing authentication controls. Upon successful exploitation, it enumerates admin users, retrieves product serial and version information, and attempts to leak LDAP configuration from the target device. The module is operational and provides actionable results for penetration testers and defenders. The README provides clear setup and usage instructions, and the code is structured for integration with Metasploit's scanner modules.

This repository provides a working exploit and detection script for CVE-2022-40684, a critical authentication bypass vulnerability in Fortinet FortiOS, FortiProxy, and FortiSwitchManager appliances. The main exploit (exploit.py) is a Python script that allows an attacker to inject their SSH public key into the admin account (or another specified user) on a vulnerable device by sending a crafted HTTP PUT request to the /api/v2/cmdb/system/admin/{username} endpoint. If successful, the script then attempts to connect via SSH using the injected key, providing an interactive shell to the attacker. The script supports both single-target and mass exploitation modes, with multithreading for efficiency. The repository also includes a Nmap NSE script (cve-2022-40684.nse) for detection, a simple parser for Zoomeye search results, and a requirements.txt for dependencies. The exploit is operational and provides real post-exploitation access if the target is vulnerable. No hardcoded payloads are present; the attacker's own SSH key is used. The main attack vector is network-based, targeting the HTTP management interface of the affected Fortinet products.

This repository contains a Bash proof-of-concept exploit for CVE-2022-40684, an authentication bypass vulnerability affecting Fortinet devices (such as FortiGate). The repository consists of a README.md with usage instructions and a single exploit script, poc.sh. The script takes a target IP and port as arguments, then sends a specially crafted HTTPS GET request to the /api/v2/cmdb/system/admin endpoint on the target device, using specific HTTP headers to exploit the authentication bypass. If successful, it dumps the system admin information to a file named after the target IP. The exploit demonstrates the vulnerability and provides a clear indication of whether the target is affected. The code is a straightforward PoC and does not provide weaponized or post-exploitation capabilities.

This repository provides a proof-of-concept (PoC) exploit for CVE-2022-40684, a critical authentication bypass vulnerability affecting Fortinet FortiOS, FortiProxy, and FortiSwitchManager. The repository contains three files: a Python exploit script (exploit.py), a Nuclei template (CVE-2022-40684.yaml), and a README.md with usage instructions. The exploit works by sending specially crafted HTTP GET requests with specific headers to the administrative API endpoints of the target device, bypassing authentication and extracting sensitive information such as admin usernames, access levels, device serial and version, and LDAP configuration. The Nuclei template allows for automated detection of the vulnerability. The exploit is read-only and does not modify device state. The main attack vector is network-based, targeting exposed administrative interfaces. No hardcoded IPs or domains are present; the target is user-supplied.

This repository contains a proof-of-concept (POC) exploit for CVE-2022-40684, an authentication bypass vulnerability affecting Fortinet FortiOS, FortiProxy, and FortiSwitchManager appliances. The main file, CVE-2022-40684.py, is a Python script that allows an attacker to add their own SSH public key to a specified user account on a vulnerable device by sending a crafted HTTP PUT request to the device's API endpoint. The script requires the target's IP address, a valid username, and a path to the attacker's SSH public key file. If successful, the attacker can then SSH into the device as the specified user. The repository also includes a README.md with technical analysis, usage instructions, and mitigation advice. The exploit is network-based, targeting the device's HTTPS API interface, and is a functional POC that demonstrates the vulnerability's impact.