9.8
CVE-2022-40684
- EPSS 94.43%
- Published 18.10.2022 14:15:09
- Last modified 19.02.2025 19:37:18
- Source psirt@fortinet.com
- Teams watchlist Login
- Open Login
An authentication bypass using an alternate path or channel [CWE-288] in Fortinet FortiOS version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy version 7.2.0 and version 7.0.0 through 7.0.6 and FortiSwitchManager version 7.2.0 and 7.0.0 allows an unauthenticated atttacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.
Data is provided by the National Vulnerability Database (NVD)
Fortinet ≫ Fortiproxy Version >= 7.0.0 < 7.0.7
Fortinet ≫ Fortiproxy Version7.2.0
Fortinet ≫ Fortiswitchmanager Version7.0.0
Fortinet ≫ Fortiswitchmanager Version7.2.0
11.10.2022: CISA Known Exploited Vulnerabilities (KEV) Catalog
Fortinet Multiple Products Authentication Bypass Vulnerability
VulnerabilityFortinet FortiOS, FortiProxy, and FortiSwitchManager contain an authentication bypass vulnerability that could allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.
DescriptionApply updates per vendor instructions.
Required actions10.10.2022: CERT.at Warnung
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 94.43% | 1 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| psirt@fortinet.com | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
CWE-287 Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.