CVE-2026-22572 is an authentication bypass vulnerability identified in Fortinet's FortiManager and FortiAnalyzer products, including their Cloud versions, spanning multiple releases from 7.2.2 to 7.6.3. The vulnerability arises from improper access control that allows an attacker, who already possesses the administrator password, to circumvent multifactor authentication (MFA) mechanisms by submitting multiple crafted requests through an alternate path or channel. This bypass effectively negates the additional security layer provided by MFA, enabling unauthorized access to administrative functions. The vulnerability affects network management and security orchestration platforms critical for managing Fortinet security appliances and logging. The CVSS v3.1 base score is 6.8, reflecting a medium severity with high impact on confidentiality, integrity, and availability, but requiring prior knowledge of admin credentials and no user interaction. The flaw is exploitable remotely over the network with low attack complexity. Although no active exploits have been reported, the potential for privilege escalation and full system compromise is significant. The vulnerability was publicly disclosed in March 2026, and Fortinet has not yet provided official patches or mitigation instructions, increasing the urgency for organizations to apply compensating controls.

The vulnerability allows attackers who have obtained administrator passwords to bypass MFA, significantly increasing the risk of unauthorized administrative access. This can lead to full compromise of the affected FortiManager and FortiAnalyzer systems, including unauthorized configuration changes, data exfiltration, and disruption of network security management. Since these platforms centrally manage Fortinet security devices and logs, exploitation could undermine the entire security posture of an organization, potentially allowing attackers to disable security controls, manipulate logs to cover tracks, and disrupt network operations. The impact extends to confidentiality, integrity, and availability of critical security infrastructure. Organizations relying on these products for centralized management and monitoring are at risk of severe operational and security consequences. The lack of known exploits in the wild currently limits immediate widespread impact, but the vulnerability presents a high-risk vector if combined with credential compromise.

Organizations should immediately verify if they are running affected versions of FortiManager, FortiAnalyzer, or their Cloud variants. Until official patches are released, implement strict network segmentation to limit access to management interfaces only to trusted administrators and secure networks. Enforce strong password policies and monitor for unusual authentication attempts or patterns indicative of crafted request submissions. Employ additional layers of security such as IP whitelisting, VPN access, and anomaly detection on management traffic. Regularly audit administrative accounts and consider temporary disabling of remote management access where feasible. Stay updated with Fortinet advisories for patch releases and apply them promptly once available. Additionally, consider deploying Web Application Firewalls (WAFs) or Intrusion Prevention Systems (IPS) with custom rules to detect and block suspicious multi-request authentication attempts targeting these platforms.