CVE-2022-40684
published 2022-10-18CVE-2022-40684: An authentication bypass using an alternate path or channel [CWE-288] in Fortinet FortiOS version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy…
critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-11-01
Exploited in the wild
An authentication bypass using an alternate path or channel [CWE-288] in Fortinet FortiOS version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy version 7.2.0 and version 7.0.0 through 7.0.6 and FortiSwitchManager version 7.2.0 and 7.0.0 allows an unauthenticated atttacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fortinet | fortinet | — | — |
| fortinet | fortios | — | — |
| fortinet | fortios | >= 7.0.0 < 7.0.7 | 7.0.7 |
| fortinet | fortios | >= 7.2.0 < 7.2.2 | 7.2.2 |
| fortinet | fortiproxy | — | — |
| fortinet | fortiproxy | — | — |
| fortinet | fortiproxy | >= 7.0.0 < 7.0.7 | 7.0.7 |
| fortinet | fortiswitchmanager | — | — |
| fortinet | fortiswitchmanager | — | — |
| fortinet | fortiswitchmanager | — | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL