Unrated severityCISA KEVNVD Advisory· Published Oct 18, 2022· Updated Jan 12, 2026

CVE-2022-40684

Description

An authentication bypass using an alternate path or channel [CWE-288] in Fortinet FortiOS version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy version 7.2.0 and version 7.0.0 through 7.0.6 and FortiSwitchManager version 7.2.0 and 7.0.0 allows an unauthenticated atttacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.

Affected products

Fortinet/Fortinet FortiOS, FortiProxy, FortiSwitchManagerv5
Range: FortiOS 7.2.1, 7.2.0, 7.0.6, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0; FortiProxy 7.2.0, 7.0.6, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0; FortiSwitchManager 7.2.0, 7.0.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

packetstormsecurity.com/files/169431/Fortinet-FortiOS-FortiProxy-FortiSwitchManager-Authentication-Bypass.htmlmitre
packetstormsecurity.com/files/171515/Fortinet-7.2.1-Authentication-Bypass.htmlmitre
fortiguard.com/psirt/FG-IR-22-377mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.076
exploit	0.030
kev	0.120
patch	0.000
ransomware	0.060