{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"state":"PUBLISHED","cveId":"CVE-2022-40684","assignerOrgId":"6abe59d8-c742-4dff-8ce8-9b0ca1073da8","assignerShortName":"fortinet","dateUpdated":"2026-01-12T21:20:08.364Z","dateReserved":"2022-09-14T00:00:00.000Z","datePublished":"2022-10-18T00:00:00.000Z"},"containers":{"cna":{"providerMetadata":{"orgId":"6abe59d8-c742-4dff-8ce8-9b0ca1073da8","shortName":"fortinet","dateUpdated":"2023-03-27T00:00:00.000Z"},"descriptions":[{"lang":"en","value":"An authentication bypass using an alternate path or channel [CWE-288] in Fortinet FortiOS version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy version 7.2.0 and version 7.0.0 through 7.0.6 and FortiSwitchManager version 7.2.0 and 7.0.0 allows an unauthenticated atttacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests."}],"affected":[{"vendor":"Fortinet","product":"Fortinet FortiOS, FortiProxy, FortiSwitchManager","versions":[{"version":"FortiOS 7.2.1, 7.2.0, 7.0.6, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0; FortiProxy 7.2.0, 7.0.6, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0; FortiSwitchManager 7.2.0, 7.0.0","status":"affected"}]}],"references":[{"url":"https://fortiguard.com/psirt/FG-IR-22-377"},{"url":"http://packetstormsecurity.com/files/169431/Fortinet-FortiOS-FortiProxy-FortiSwitchManager-Authentication-Bypass.html"},{"url":"http://packetstormsecurity.com/files/171515/Fortinet-7.2.1-Authentication-Bypass.html"}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:U/RC:C","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","exploitCodeMaturity":"FUNCTIONAL","remediationLevel":"UNAVAILABLE","reportConfidence":"CONFIRMED","baseScore":9.8,"temporalScore":9.6,"baseSeverity":"CRITICAL","temporalSeverity":"CRITICAL"}}],"problemTypes":[{"descriptions":[{"type":"text","lang":"en","description":"Execute unauthorized code or commands"}]}]},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-03T12:21:46.541Z"},"title":"CVE Program Container","references":[{"url":"https://fortiguard.com/psirt/FG-IR-22-377","tags":["x_transferred"]},{"url":"http://packetstormsecurity.com/files/169431/Fortinet-FortiOS-FortiProxy-FortiSwitchManager-Authentication-Bypass.html","tags":["x_transferred"]},{"url":"http://packetstormsecurity.com/files/171515/Fortinet-7.2.1-Authentication-Bypass.html","tags":["x_transferred"]}]},{"problemTypes":[{"descriptions":[{"type":"CWE","cweId":"CWE-287","lang":"en","description":"CWE-287 Improper Authentication"}]}],"references":[{"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-40684","tags":["government-resource"]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2024-10-23T13:27:43.070187Z","id":"CVE-2022-40684","options":[{"Exploitation":"active"},{"Automatable":"yes"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}},{"other":{"type":"kev","content":{"dateAdded":"2022-10-11","reference":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-40684"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-01-12T21:20:08.364Z"}}]}}