Fortinet Appliance Auth bypass

Status: production
Severity: medium
Group by: Web.src, Web.url_length, c-uri, c-useragent, cs-host, cs-method
Author: Michael Haag, Splunk
Source: github.com/splunk/security_content

The following analytic detects attempts to exploit CVE-2022-40684, a Fortinet appliance authentication bypass vulnerability. It identifies REST API requests to the /api/v2/ endpoint using various HTTP methods (GET, POST, PUT, DELETE) that may indicate unauthorized modifications, such as adding SSH keys or creating new users. This detection leverages the Web datamodel to monitor specific URL patterns and HTTP methods. This activity is significant as it can lead to unauthorized access and control over the appliance. If confirmed malicious, attackers could gain persistent access, reroute network traffic, or capture sensitive information.

MITRE ATT&CK coverage

Tactic	Techniques
Initial Access	`T1133` External Remote Services, `T1190` Exploit Public-Facing Application
Persistence	`T1133` External Remote Services

Rule body splunk

name: Fortinet Appliance Auth bypass
id: a83122f2-fa09-4868-a230-544dbc54bc1c
version: 10
creation_date: '2022-10-14'
modification_date: '2026-05-13'
author: Michael Haag, Splunk
status: production
type: TTP
description: |
    The following analytic detects attempts to exploit CVE-2022-40684, a Fortinet appliance authentication bypass vulnerability.
    It identifies REST API requests to the /api/v2/ endpoint using various HTTP methods (GET, POST, PUT, DELETE) that may indicate unauthorized modifications, such as adding SSH keys or creating new users.
    This detection leverages the Web datamodel to monitor specific URL patterns and HTTP methods.
    This activity is significant as it can lead to unauthorized access and control over the appliance.
    If confirmed malicious, attackers could gain persistent access, reroute network traffic, or capture sensitive information.
data_source:
    - Palo Alto Network Threat
search: |-
    | tstats `security_content_summariesonly`
             count min(_time) as firstTime
                   max(_time) as lastTime
    
    FROM datamodel=Web WHERE
    
    Web.url = "*/api/v2/cmdb/system/admin*"
    Web.http_method IN ("GET", "PUT")
    BY Web.http_user_agent
       Web.http_method Web.url
       Web.url_length
       Web.src Web.dest
    | `drop_dm_object_name("Web")`
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `fortinet_appliance_auth_bypass_filter`
how_to_implement: |
    This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache. Splunk for Nginx, or Splunk for Palo Alto.
known_false_positives: |
    GET requests will be noisy and need to be filtered out or removed from the query based on volume.
    Restrict analytic to known publicly facing Fortigates, or run analytic as a Hunt until properly tuned.
    It is also possible the user agent may be filtered on Report Runner or Node.js only for the exploit, however, it is unknown at this if other user agents may be used.
references:
    - https://www.wordfence.com/blog/2022/10/threat-advisory-cve-2022-40684-fortinet-appliance-auth-bypass/
    - https://www.horizon3.ai/fortios-fortiproxy-and-fortiswitchmanager-authentication-bypass-technical-deep-dive-cve-2022-40684/
    - https://github.com/horizon3ai/CVE-2022-40684
    - https://www.horizon3.ai/fortinet-iocs-cve-2022-40684/
    - https://attackerkb.com/topics/QWOxGIKkGx/cve-2022-40684/rapid7-analysis
    - https://github.com/rapid7/metasploit-framework/pull/17143
drilldown_searches:
    - name: View the detection results for - "$dest$"
      search: '%original_detection_search% | search  dest = "$dest$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: 7d
      latest_offset: "0"
finding:
    title: Potential CVE-2022-40684 against a Fortinet appliance may be occurring against $dest$.
    entity:
        field: dest
        type: system
        score: 50
analytic_story:
    - CVE-2022-40684 Fortinet Appliance Auth bypass
asset_type: Network
cve:
    - CVE-2022-40684
mitre_attack_id:
    - T1190
    - T1133
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: web
security_domain: network
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/fortigate/fortinetcve202240684.log
          source: not_applicable
          sourcetype: pan:threat
      test_type: unit

Stages and Predicates

Stage 1: `tstats`

| tstats `security_content_summariesonly`
         count min(_time) as firstTime
               max(_time) as lastTime

FROM datamodel=Web WHERE

Web.url = "*/api/v2/cmdb/system/admin*"
Web.http_method IN ("GET", "PUT")
BY Web.http_user_agent
   Web.http_method Web.url
   Web.url_length
   Web.src Web.dest

Stage 2: `search`

| `drop_dm_object_name("Web")`

Stage 3: `search`

| `security_content_ctime(firstTime)`

Stage 4: `search`

| `security_content_ctime(lastTime)`

Stage 5: `search`

| `fortinet_appliance_auth_bypass_filter`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Web.http_method`	in	`"GET"` `"PUT"`
`Web.url`	eq	`"/api/v2/cmdb/system/admin"`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Fortinet Appliance Auth bypass

MITRE ATT&CK coverage

Rule body splunk

Stages and Predicates

Stage 1: `tstats`

Stage 2: `search`

Stage 3: `search`

Stage 4: `search`

Stage 5: `search`

Indicators

Keyboard shortcuts

Search operators

Fortinet Appliance Auth bypass

MITRE ATT&CK coverage

Rule body splunk

Stages and Predicates

Stage 1: tstats

Stage 2: search

Stage 3: search

Stage 4: search

Stage 5: search

Indicators

Stage 1: `tstats`

Stage 2: `search`

Stage 3: `search`

Stage 4: `search`

Stage 5: `search`