cbcvebase.
CVE-2022-35843
published 2022-12-06

CVE-2022-35843: An authentication bypass by assumed-immutable data vulnerability [CWE-302] in the FortiOS SSH login component 7.2.0, 7.0.0 through 7.0.7, 6.4.0 through 6.4.9…

PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.89%
54.8th percentile
An authentication bypass by assumed-immutable data vulnerability [CWE-302] in the FortiOS SSH login component 7.2.0, 7.0.0 through 7.0.7, 6.4.0 through 6.4.9, 6.2 all versions, 6.0 all versions and FortiProxy SSH login component 7.0.0 through 7.0.5, 2.0.0 through 2.0.10, 1.2.0 all versions may allow a remote and unauthenticated attacker to login into the device via sending specially crafted Access-Challenge response from the Radius server.

Affected

13 ranges
VendorProductVersion rangeFixed in
fortinetfortios
fortinetfortios
fortinetfortios
fortinetfortios>= 6.0.0 < 6.0.*6.0.*
fortinetfortios6.0.0 – 6.0.15
fortinetfortios>= 6.2.0 < 6.2.*6.2.*
fortinetfortios6.2.0 – 6.2.12
fortinetfortios6.4.0 – 6.4.9
fortinetfortios7.0.0 – 7.0.7
fortinetfortiproxy
fortinetfortiproxy1.2.0 – 1.2.13
fortinetfortiproxy2.0.0 – 2.0.10
fortinetfortiproxy7.0.0 – 7.0.6

Detection & IOCsextracted from sources · hover to see the quote

  • Monitor for SSH login attempts to FortiOS/FortiProxy devices that are followed by or associated with RADIUS Access-Challenge responses — a specially crafted Access-Challenge from a RADIUS server can bypass SSH authentication entirely.
  • Alert on successful SSH logins to FortiOS/FortiProxy devices where RADIUS authentication is configured, especially from previously unseen or unauthenticated source IPs — the bypass requires no valid credentials.
  • Inspect RADIUS traffic (UDP/1812) between FortiOS/FortiProxy and RADIUS servers for anomalous or unexpected Access-Challenge packets, particularly those that may be injected or spoofed by a third party.
  • ·This vulnerability is only exploitable when RADIUS authentication is configured for SSH login on FortiOS or FortiProxy. Devices not using RADIUS for SSH are not affected.
  • ·Affected FortiOS versions: 7.2.0, 7.0.0 through 7.0.7, 6.4.0 through 6.4.9, 6.2 all versions, 6.0 all versions. Affected FortiProxy versions: 7.0.0 through 7.0.5, 2.0.0 through 2.0.10, 1.2.0 all versions.
  • ·The vulnerability is classified as CWE-302 (Authentication Bypass by Assumed-Immutable Data), meaning the exploit abuses trust in data that should be verified but is not — in this case, the RADIUS Access-Challenge response content.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.