← Back to CVEs
CVE-2022-40684
CRITICALCISA KEV9.8
Description
An authentication bypass using an alternate path or channel [CWE-288] in Fortinet FortiOS version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy version 7.2.0 and version 7.0.0 through 7.0.6 and FortiSwitchManager version 7.2.0 and 7.0.0 allows an unauthenticated atttacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.
CVE Details
CVSS v3.1 Score9.8
SeverityCRITICAL
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredNONE
User InteractionNONE
Published10/18/2022
Last Modified1/14/2026
Sourcekev
Honeypot Sightings0
CISA KEV
VendorFortinet
ProductMultiple Products
Vulnerability NameFortinet Multiple Products Authentication Bypass Vulnerability
KEV Date Added2022-10-11
Remediation Due Date2022-11-01
Ransomware UseKnown
Affected Products
fortinet:fortiosfortinet:fortiproxyfortinet:fortiswitchmanager
Weaknesses (CWE)
CWE-287CWE-287
References
http://packetstormsecurity.com/files/169431/Fortinet-FortiOS-FortiProxy-FortiSwitchManager-Authentication-Bypass.html(psirt@fortinet.com)
http://packetstormsecurity.com/files/171515/Fortinet-7.2.1-Authentication-Bypass.html(psirt@fortinet.com)
https://fortiguard.com/psirt/FG-IR-22-377(psirt@fortinet.com)
http://packetstormsecurity.com/files/169431/Fortinet-FortiOS-FortiProxy-FortiSwitchManager-Authentication-Bypass.html(af854a3a-2127-422b-91ae-364da2661108)
http://packetstormsecurity.com/files/171515/Fortinet-7.2.1-Authentication-Bypass.html(af854a3a-2127-422b-91ae-364da2661108)
https://fortiguard.com/psirt/FG-IR-22-377(af854a3a-2127-422b-91ae-364da2661108)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-40684(134c704f-9b21-4f2e-91b3-4a467353bcc0)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.