Description
An authentication bypass using an alternate path or channel [CWE-288] in Fortinet FortiOS version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy version 7.2.0 and version 7.0.0 through 7.0.6 and FortiSwitchManager version 7.2.0 and 7.0.0 allows an unauthenticated atttacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.
CVSS Metrics
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Attack Vector
- network
- Complexity
- low
- Privileges
- none
- User Action
- none
- Scope
- unchanged
- Confidentiality
- high
- Integrity
- high
- Availability
- high
- Weaknesses
- CWE-287CWE-287
Metadata
- Primary Vendor
- FORTINET
- Published
- 10/18/2022
- Last Modified
- 1/12/2026
- Source
- NIST NVD
- Note: Verify all details with official vendor sources before applying patches.
Affected Products
fortinet : fortiproxyfortinet : fortiproxyfortinet : fortiswitchmanagerfortinet : fortiswitchmanagerfortinet : fortiosfortinet : fortios
AI-Powered Remediation
Generate remediation guidance or a C-suite brief for this vulnerability.