Cyber Resilience

CVE-2022-40684

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 18 October 2022

Published
18 October 2022
Modified
14 January 2026
KEV Added
11 October 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9443 100.0th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-40684 is a critical-severity Improper Authentication (CWE-287) vulnerability in Fortinet Fortiproxy. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).

Deeper analysis

CVE-2022-40684 is an authentication bypass vulnerability (CWE-288, also referenced as CWE-287) affecting the administrative interface of Fortinet FortiOS versions 7.2.0–7.2.1 and 7.0.0–7.0.6, FortiProxy versions 7.2.0 and 7.0.0–7.0.6, and FortiSwitchManager versions 7.2.0 and 7.0.0. The flaw permits specially crafted HTTP or HTTPS requests to reach administrative functions without credentials, resulting in a CVSS 3.1 base score of 9.8.

An unauthenticated remote attacker can exploit the issue over the network to execute arbitrary operations on the management interface, with full impact to confidentiality, integrity, and availability of the affected device. Public exploit code for the vulnerability has been posted to Packet Storm.

The FortiGuard advisory FG-IR-22-377 addresses the issue and is referenced alongside multiple public exploit archives; organizations should consult that advisory for official remediation steps. The EPSS score has reached a peak of 0.9746 with a current value of 0.9443, indicating sustained high exploitation interest.

EU & UK References

Vulnerability details

An authentication bypass using an alternate path or channel [CWE-288] in Fortinet FortiOS version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy version 7.2.0 and version 7.0.0 through 7.0.6 and FortiSwitchManager version 7.2.0 and 7.0.0 allows an unauthenticated atttacker to…

more

perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.

CWE(s)
KEV Date Added
11 October 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

fortinet
fortiproxy
7.2.0 · 7.0.0 — 7.0.7
fortinet
fortiswitchmanager
7.0.0, 7.2.0
fortinet
fortios
7.0.0 — 7.0.7 · 7.2.0 — 7.2.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authentication and authorization checks on the administrative interface, blocking the alternate-path bypass before any operations can be performed.

prevent

Requires identification and authentication of organizational users prior to granting access to the Fortinet admin interface, directly countering the unauthenticated request exploitation.

prevent

Restricts network traffic to the administrative interface, limiting exposure of the vulnerable HTTP/HTTPS endpoints to only authorized sources.

References