OpenCVE

An improper access control [CWE-284] vulnerability in FortiOS version 7.2.0 and versions 7.0.0 through 7.0.7 may allow a remote authenticated read-only user to modify the interface settings via the API.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Fortinet	Fortios

Configuration 1 [-]

OR	cpe:2.3:o:fortinet:fortios::::::::
	cpe:2.3:o:fortinet:fortios:7.2.0:::::::*

No data.

References

Link	Providers
https://fortiguard.com/psirt/FG-IR-22-174

History

Thu, 26 Feb 2026 12:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: fortinet

Published: 2022-11-02T00:00:00.000Z

Updated: 2024-10-22T20:52:46.827Z

Reserved: 2022-08-16T00:00:00.000Z

Link: CVE-2022-38380

Vulnrichment

Updated: 2024-08-03T10:54:03.669Z

NVD

Status : Modified

Published: 2022-11-02T12:15:54.547

Modified: 2024-11-21T07:16:21.660

Link: CVE-2022-38380

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-38380", "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "assignerShortName": "fortinet", "dateUpdated": "2024-10-22T20:52:46.827Z", "dateReserved": "2022-08-16T00:00:00.000Z", "datePublished": "2022-11-02T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "shortName": "fortinet", "dateUpdated": "2022-11-02T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "An improper access control [CWE-284] vulnerability in FortiOS version 7.2.0 and versions 7.0.0 through 7.0.7 may allow a remote authenticated read-only user to modify the interface settings via the API."}], "affected": [{"vendor": "Fortinet", "product": "Fortinet FortiOS", "versions": [{"version": "FortiOS 7.2.0, 7.0.7, 7.0.6, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0", "status": "affected"}]}], "references": [{"url": "https://fortiguard.com/psirt/FG-IR-22-174"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:F/RL:X/RC:X", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "exploitCodeMaturity": "FUNCTIONAL", "remediationLevel": "NOT_DEFINED", "reportConfidence": "NOT_DEFINED", "baseScore": 4.3, "temporalScore": 4.2, "baseSeverity": "MEDIUM", "temporalSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "Improper access control"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T10:54:03.669Z"}, "title": "CVE Program Container", "references": [{"url": "https://fortiguard.com/psirt/FG-IR-22-174", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-22T20:19:00.406483Z", "id": "CVE-2022-38380", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-22T20:52:46.827Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://fortiguard.com/psirt/FG-IR-22-174", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T10:54:03.669Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-38380", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-22T20:19:00.406483Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-22T20:21:17.418Z"}}], "cna": {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:F/RL:X/RC:X", "temporalScore": 4.2, "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "remediationLevel": "NOT_DEFINED", "reportConfidence": "NOT_DEFINED", "temporalSeverity": "MEDIUM", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "exploitCodeMaturity": "FUNCTIONAL", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "Fortinet", "product": "Fortinet FortiOS", "versions": [{"status": "affected", "version": "FortiOS 7.2.0, 7.0.7, 7.0.6, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0"}]}], "references": [{"url": "https://fortiguard.com/psirt/FG-IR-22-174"}], "descriptions": [{"lang": "en", "value": "An improper access control [CWE-284] vulnerability in FortiOS version 7.2.0 and versions 7.0.0 through 7.0.7 may allow a remote authenticated read-only user to modify the interface settings via the API."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "Improper access control"}]}], "providerMetadata": {"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "shortName": "fortinet", "dateUpdated": "2022-11-02T00:00:00.000Z"}}}, "cveMetadata": {"cveId": "CVE-2022-38380", "state": "PUBLISHED", "dateUpdated": "2024-10-22T20:52:46.827Z", "dateReserved": "2022-08-16T00:00:00.000Z", "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "datePublished": "2022-11-02T00:00:00.000Z", "assignerShortName": "fortinet"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*", "matchCriteriaId": "DEC5CAD3-53CB-45C3-B4EA-10AEFE6C0016", "versionEndIncluding": "7.0.7", "versionStartIncluding": "7.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:fortinet:fortios:7.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "B9B87A2A-4C83-448B-8009-AD20214D58CB", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An improper access control [CWE-284] vulnerability in FortiOS version 7.2.0 and versions 7.0.0 through 7.0.7 may allow a remote authenticated read-only user to modify the interface settings via the API."}, {"lang": "es", "value": "Una vulnerabilidad de control de acceso inadecuado [CWE-284] en FortiOS versi\u00f3n 7.2.0 y versiones 7.0.0 a 7.0.7 puede permitir que un usuario remoto de solo lectura autenticado modifique la configuraci\u00f3n de la interfaz a trav\u00e9s de la API."}], "id": "CVE-2022-38380", "lastModified": "2024-11-21T07:16:21.660", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "psirt@fortinet.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-11-02T12:15:54.547", "references": [{"source": "psirt@fortinet.com", "tags": ["Vendor Advisory"], "url": "https://fortiguard.com/psirt/FG-IR-22-174"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://fortiguard.com/psirt/FG-IR-22-174"}], "sourceIdentifier": "psirt@fortinet.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}