CVE-2022-40684
KEVFortinet Multiple Products Authentication Bypass Vulnerability
9.8
CriticalPublished:
Last updated:
Source:psirt@fortinet.com
Analyzed
Weakness (CWE)
CVSS Vector
v3.1- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- None
- User Interaction
- None
- Scope
- Unchanged
- Confidentiality
- High
- Integrity
- High
- Availability
- High
Description
An authentication bypass using an alternate path or channel [CWE-288] in Fortinet FortiOS version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy version 7.2.0 and version 7.0.0 through 7.0.6 and FortiSwitchManager version 7.2.0 and 7.0.0 allows an unauthenticated atttacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.
Exploits
510922023-03-27webappsMultiple
FortiOS, FortiProxy, FortiSwitchManager v7.2.1 - Authentication Bypass
By Felipe Alcantara
522392025-04-16remoteWindows
Fortinet FortiOS, FortiProxy, and FortiSwitchManager 7.2.0 - Authentication bypass
By ub3rsick
References
psirt@fortinet.com
http://packetstormsecurity.com/files/169431/Fortinet-FortiOS-FortiProxy-FortiSwitchManager-Authentication-Bypass.htmlpsirt@fortinet.com
http://packetstormsecurity.com/files/171515/Fortinet-7.2.1-Authentication-Bypass.htmlpsirt@fortinet.com
https://fortiguard.com/psirt/FG-IR-22-377af854a3a-2127-422b-91ae-364da2661108
http://packetstormsecurity.com/files/169431/Fortinet-FortiOS-FortiProxy-FortiSwitchManager-Authentication-Bypass.htmlaf854a3a-2127-422b-91ae-364da2661108
http://packetstormsecurity.com/files/171515/Fortinet-7.2.1-Authentication-Bypass.htmlaf854a3a-2127-422b-91ae-364da2661108
https://fortiguard.com/psirt/FG-IR-22-377134c704f-9b21-4f2e-91b3-4a467353bcc0
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-40684