CVE-2022-40684 | THREATINT

Description

An authentication bypass using an alternate path or channel [CWE-288] in Fortinet FortiOS version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy version 7.2.0 and version 7.0.0 through 7.0.6 and FortiSwitchManager version 7.2.0 and 7.0.0 allows an unauthenticated atttacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.

PUBLISHED Reserved 2022-09-14 | Published 2022-10-18 | Updated 2025-10-21 | Assigner fortinet

CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:U/RC:C

CISA Known Exploited Vulnerability

Date added 2022-10-11 | Due date 2022-11-01

Known Ransomware Campaign(s)

Apply updates per vendor instructions.

Problem types

Execute unauthorized code or commands

Product status

FortiOS 7.2.1, 7.2.0, 7.0.6, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0; FortiProxy 7.2.0, 7.0.6, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0; FortiSwitchManager 7.2.0, 7.0.0

affected

References

fortiguard.com/psirt/FG-IR-22-377

packetstormsecurity.com/...anager-Authentication-Bypass.html

packetstormsecurity.com/...-7.2.1-Authentication-Bypass.html

www.cisa.gov/...erabilities-catalog?field_cve=CVE-2022-40684 government-resource

fortiguard.com/psirt/FG-IR-22-377

packetstormsecurity.com/...anager-Authentication-Bypass.html

packetstormsecurity.com/...-7.2.1-Authentication-Bypass.html

cve.org (CVE-2022-40684)

nvd.nist.gov (CVE-2022-40684)

Download JSON