CVE-2026-22572
Received
Received - Intake
Authentication Bypass via MFA Circumvention in Fortinet FortiAnalyzer and FortiManager
Publication date: 2026-03-10
Last updated on: 2026-03-16
Assigner: Fortinet, Inc.
Description
Description
An authentication bypass using an alternate path or channel vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.3, FortiAnalyzer 7.4.0 through 7.4.7, FortiAnalyzer 7.2.2 through 7.2.11, FortiManager 7.6.0 through 7.6.3, FortiManager 7.4.0 through 7.4.7, FortiManager 7.2.2 through 7.2.11 may allow an attacker with knowledge of the admins password to bypass multifactor authentication checks via submitting multiple crafted requests.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fortinet | fortianalyzer | From 7.6.0 (inc) to 7.6.4 (exc) |
| fortinet | fortianalyzer | From 7.2.2 (inc) to 7.4.8 (exc) |
| fortinet | fortimanager | From 7.2.2 (inc) to 7.4.8 (exc) |
| fortinet | fortimanager | From 7.6.0 (inc) to 7.6.4 (exc) |
| fortinet | fortimanager_cloud | From 7.2.2 (inc) to 7.4.8 (exc) |
| fortinet | fortimanager_cloud | From 7.6.0 (inc) to 7.6.4 (exc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-288 | The product requires authentication, but the product has an alternate path or channel that does not require authentication. |
