CVE-2026-22572
Received
Received - Intake
Authentication Bypass via MFA Circumvention in Fortinet FortiAnalyzer and FortiManager
Vulnerability report for CVE-2026-22572, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-03-10
Last updated on: 2026-03-16
Assigner: Fortinet, Inc.
Description
Description
An authentication bypass using an alternate path or channel vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.3, FortiAnalyzer 7.4.0 through 7.4.7, FortiAnalyzer 7.2.2 through 7.2.11, FortiManager 7.6.0 through 7.6.3, FortiManager 7.4.0 through 7.4.7, FortiManager 7.2.2 through 7.2.11 may allow an attacker with knowledge of the admins password to bypass multifactor authentication checks via submitting multiple crafted requests.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fortinet | fortianalyzer | From 7.6.0 (inc) to 7.6.4 (exc) |
| fortinet | fortianalyzer | From 7.2.2 (inc) to 7.4.8 (exc) |
| fortinet | fortimanager | From 7.2.2 (inc) to 7.4.8 (exc) |
| fortinet | fortimanager | From 7.6.0 (inc) to 7.6.4 (exc) |
| fortinet | fortimanager_cloud | From 7.2.2 (inc) to 7.4.8 (exc) |
| fortinet | fortimanager_cloud | From 7.6.0 (inc) to 7.6.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-288 | The product requires authentication, but the product has an alternate path or channel that does not require authentication. |