CVE-2022-40684
CVE-2022-40684 is a critical-severity vulnerability in Fortinet Fortiproxy with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-10-11). The underlying weakness is classified as CWE-287.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- EPSS exploit prediction: 100% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2022-10-11)
- EU (EUVD) id: EUVD-2022-43955
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2022-10-11)
- Weakness: CWE-287
- Affected product: Fortinet Fortiproxy
- Published:
- Last modified:
Description
An authentication bypass using an alternate path or channel [CWE-288] in Fortinet FortiOS version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy version 7.2.0 and version 7.0.0 through 7.0.6 and FortiSwitchManager version 7.2.0 and 7.0.0 allows an unauthenticated atttacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.
CVE-2022-40684: Fortinet Authentication Bypass in FortiOS, FortiProxy, and FortiSwitchManager
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE | CVE-2022-40684 |
| CVSS 3.1 | 9.8 (CRITICAL) |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| EPSS | 0.99984 (99.984%) |
| EPSS Percentile | 99.983% |
| CWE | CWE-287 |
| KEV | Yes (2022-10-11) |
| EU Exploited | Yes (since 2022-10-11) |
| Vendor | Fortinet |
Summary
CVE-2022-40684 is an authentication bypass vulnerability affecting Fortinet FortiOS, FortiProxy, and FortiSwitchManager administrative interfaces. An unauthenticated attacker can exploit this flaw by sending specially crafted HTTP or HTTPS requests to perform operations on the administrative interface without valid credentials.
Background
Fortinet's network security products are widely deployed as edge firewalls, proxies, and network management platforms. The administrative interfaces of these devices are critical control points, typically used to manage policies, configurations, and security settings. When these interfaces are exposed to untrusted networks, they become high-value targets for adversaries.
Root Cause
The vulnerability is classified under CWE-287 (Improper Authentication). The original disclosure summary also references CWE-288 (Authentication Bypass Using an Alternate Path or Channel). The flaw exists because the affected administrative interfaces fail to properly validate authentication state for certain crafted HTTP or HTTPS requests, allowing an attacker to access administrative functionality through an alternate path that bypasses standard authentication controls.
Impact
This vulnerability carries a CVSS 3.1 score of 9.8 (CRITICAL) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
- Attack Vector: Network — exploitable remotely without physical access
- Attack Complexity: Low — no special conditions or mitigating factors required
- Privileges Required: None — fully unauthenticated
- User Interaction: None — no user action needed
- Scope: Unchanged
- Impact: High confidentiality, integrity, and availability impact
An unauthenticated attacker gaining administrative access to Fortinet devices can modify firewall rules, exfiltrate sensitive data, establish persistent access, or disrupt network operations.
Exploitation Walkthrough
Ethics Notice: This section provides a defensive, high-level understanding of the attack mechanism for detection and mitigation purposes. It does not contain working exploit code or step-by-step instructions for weaponization.
The attack is conducted by sending specially crafted HTTP or HTTPS requests to the administrative interface of affected Fortinet devices. Due to improper authentication validation, these requests are processed as legitimate administrative actions without requiring valid credentials or session tokens.
From a defender's perspective, the exploitation leaves detectable artifacts:
- Unusual HTTP requests to
/api/or administrative endpoints without prior authentication - Administrative operations (e.g., configuration changes, user additions) originating from unexpected source IPs
- Absence of standard login events preceding administrative actions
Affected and Patched Versions
Affected Products:
- FortiOS 7.2.0 through 7.2.1
- FortiOS 7.0.0 through 7.0.6
- FortiProxy 7.2.0
- FortiProxy 7.0.0 through 7.0.6
- FortiSwitchManager 7.2.0
- FortiSwitchManager 7.0.0
Patched Versions: Specific patched version numbers are not detailed in the available source data. Organizations should consult the FortiGuard PSIRT advisory for the definitive list of fixed versions and apply all recommended updates.
Remediation
- Upgrade immediately: Apply the latest patches from Fortinet as specified in FG-IR-22-377.
- Restrict administrative access: Limit administrative interface access to dedicated management networks or VPNs only; never expose admin interfaces to the public internet.
- Network segmentation: Place management interfaces on isolated VLANs or out-of-band networks.
- Monitor for compromise: Review device configurations and logs for unauthorized changes since the vulnerability's disclosure.
- Implement compensating controls: Where patching is delayed, consider Web Application Firewall (WAF) rules or network-level access controls to block unauthorized administrative requests.
Detection
- Monitor Fortinet device logs for administrative actions without corresponding authentication events.
- Alert on HTTP/HTTPS requests to administrative endpoints from unexpected source IP addresses.
- Review configuration change logs for unauthorized modifications to firewall policies, user accounts, or SSL VPN settings.
- Correlate traffic patterns with known indicators of compromise (IOCs) published by FortiGuard PSIRT.
- Use CISA's KEV catalog to ensure this CVE is tracked in your vulnerability management program.
Assessment
With an EPSS score of 0.99984 (99.984th percentile), this vulnerability is among the most likely to be actively exploited in the wild. Its presence in the CISA Known Exploited Vulnerabilities (KEV) catalog since 2022-10-11 and the EU exploited list since the same date confirms widespread active use by threat actors.
Key Takeaways:
- Administrative interfaces are crown jewels. Exposing management interfaces to untrusted networks dramatically increases the blast radius of authentication bypass vulnerabilities.
- Authentication bypass in security appliances is especially dangerous. Because these devices sit at network boundaries, compromise often grants deep network visibility and control.
References
Frequently asked questions
- What is CVE-2022-40684?
- An authentication bypass using an alternate path or channel [CWE-288] in Fortinet FortiOS version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy version 7.2.0 and version 7.0.0 through 7.0.6 and FortiSwitchManager version 7.2.0 and 7.0.0 allows an unauthenticated atttacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.
- How severe is CVE-2022-40684?
- CVE-2022-40684 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2022-40684 being actively exploited?
- Yes. CVE-2022-40684 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-10-11, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2022-40684?
- CVE-2022-40684 primarily affects Fortinet Fortiproxy. In total, 5 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2022-40684?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2022-40684 have an EU (EUVD) identifier?
- Yes. CVE-2022-40684 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2022-43955. It is also flagged as exploited in the EUVD (since 2022-10-11).
- When was CVE-2022-40684 published?
- CVE-2022-40684 was published on 2022-10-18 and last updated on 2026-06-17.
References
- http://packetstormsecurity.com/files/169431/Fortinet-FortiOS-FortiProxy-FortiSwitchManager-Authentication-Bypass.html
- http://packetstormsecurity.com/files/171515/Fortinet-7.2.1-Authentication-Bypass.html
- https://fortiguard.com/psirt/FG-IR-22-377
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-40684
Affected products (5)
- cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:*
- cpe:2.3:a:fortinet:fortiproxy:7.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:fortinet:fortiswitchmanager:7.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:fortinet:fortiswitchmanager:7.2.0:*:*:*:*:*:*:*
- cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*
More vulnerabilities in Fortinet Fortiproxy
- CVE-2026-24858 — Critical (CVSS 9.8): An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] vulnerability in Fortinet…
- CVE-2025-59718 — Critical (CVSS 9.8): A improper verification of cryptographic signature vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0…
- CVE-2025-22252 — Critical (CVSS 9.8): A missing authentication for critical function in Fortinet FortiProxy versions 7.6.0 through 7.6.1, FortiSwitchManager…
- CVE-2023-25610 — Critical (CVSS 9.8): A buffer underwrite ('buffer underflow') vulnerability in the administrative interface of Fortinet FortiOS version…
- CVE-2024-55591 — Critical (CVSS 9.8): An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0…
- CVE-2023-42789 — Critical (CVSS 9.8): A out-of-bounds write in Fortinet FortiOS 7.4.0 through 7.4.1, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0 through…
All CVEs affecting Fortinet Fortiproxy →
Other CWE-287 (Improper Authentication) vulnerabilities
- CVE-2026-45480 — Critical (CVSS 10.0): Improper authentication in Azure Active Directory allows an unauthorized attacker to elevate privileges over a network.
- CVE-2026-46389 — Critical (CVSS 10.0): UDS Identity Config builds the Keycloak configuration image (realm, plugins, theme, truststore, JARs) consumed by UDS…
- CVE-2026-10611 — Critical (CVSS 10.0): An authentication bypass vulnerability exists in MISP when LDAP mixed authentication is enabled with OTP enforcement.…
- CVE-2026-47280 — Critical (CVSS 10.0): Improper authentication in Azure Resource Manager (ARM) allows an unauthorized attacker to elevate privileges over a…
- CVE-2026-42822 — Critical (CVSS 10.0): Improper authentication in Azure Local Disconnected Operations allows an unauthorized attacker to elevate privileges…
- CVE-2026-20182 — Critical (CVSS 10.0): May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and…
Browse all CWE-287 (Improper Authentication) vulnerabilities →