9.8
CVE-2022-40684
- EPSS 94.43%
- Veröffentlicht 18.10.2022 14:15:09
- Zuletzt bearbeitet 14.01.2026 19:19:58
- Quelle psirt@fortinet.com
- CVE-Watchlists
- Unerledigt
LoginAn authentication bypass using an alternate path or channel [CWE-288] in Fortinet FortiOS version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy version 7.2.0 and version 7.0.0 through 7.0.6 and FortiSwitchManager version 7.2.0 and 7.0.0 allows an unauthenticated atttacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Fortinet ≫ FortiProxy Version >= 7.0.0 < 7.0.7
Fortinet ≫ FortiProxy Version7.2.0
Fortinet ≫ FortiSwitch Manager Version7.0.0
Fortinet ≫ FortiSwitch Manager Version7.2.0
11.10.2022: CISA Known Exploited Vulnerabilities (KEV) Catalog
Fortinet Multiple Products Authentication Bypass Vulnerability
SchwachstelleFortinet FortiOS, FortiProxy, and FortiSwitchManager contain an authentication bypass vulnerability that could allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.
BeschreibungApply updates per vendor instructions.
Erforderliche Maßnahmen10.10.2022: CERT.at Warnung
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 94.43% | 1 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| psirt@fortinet.com | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
CWE-287 Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.