Rule History

alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER [Cluster25] FortiOS Auth Bypass Attempt (CVE-2022-40684)"; flow:established,to_server; flowbits:set,ET.CVE-2022-40684; http.uri; content:"/api/v2/"; startswith; nocase; content:"/system/"; nocase; distance:0; http.header; content:"Forwarded|3a 20|"; nocase; content:"for|3d 22 5b|127|2e|0|2e|0|2e|1|5d 3a|"; nocase; distance:0; fast_pattern; pcre:"/^Forwarded\x3a\x20[^\r\n]*for=\x22\x5b127\.0\.0\.1\x5d\x3a/mi"; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:url,www.horizon3.ai/fortios-fortiproxy-and-fortiswitchmanager-authentication-bypass-technical-deep-dive-cve-2022-40684/; reference:url,horizon3.ai/fortinet-iocs-cve-2022-40684/; reference:cve,2022-40684; classtype:attempted-admin; sid:2039173; rev:3; metadata:affected_product Web_Server_Applications, affected_product Fortigate, attack_target Web_Server, created_at 2022_10_12, cve CVE_2022_40684, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_10_20, reviewed_at 2025_10_24;)