cscli scenarios install crowdsecurity/CVE-2022-40684Detects FortiOs, FortiProxy, and FortiSwitchManager authentication bypass (CVE-2022-40684) vulnerability.
1type: trigger2name: crowdsecurity/fortinet-cve-2022-406843description: "Detect cve-2022-40684 exploitation attempts"4filter: |5 evt.Meta.log_type in ["http_access-log", "http_error-log"] and6 Upper(evt.Meta.http_path) startsWith Upper('/api/v2/cmdb/system/admin/') and Lower(evt.Parsed.http_user_agent) == 'report runner'7groupby: "evt.Meta.source_ip"8blackhole: 2m9labels:10 type: exploit11 remediation: true12 classification:13 - attack.T154814 - cve.CVE-2022-4068415 spoofable: 016 confidence: 317 behavior: "http:exploit"18 label: "Fortinet CVE-2022-40684"19 service: fortinet20