CVE-2024-21757

Summary

A unverified password change in Fortinet FortiManager versions 7.0.0 through 7.0.10, versions 7.2.0 through 7.2.4, and versions 7.4.0 through 7.4.1, as well as Fortinet FortiAnalyzer versions 7.0.0 through 7.0.10, versions 7.2.0 through 7.2.4, and versions 7.4.0 through 7.4.1, allows an attacker to modify admin passwords via the device configuration backup.

Affected Software

VendorProductVersion RangeStatus
FortinetFortiManager7.4.0 <= 7.4.1affected
FortinetFortiManager7.2.0 <= 7.2.4affected
FortinetFortiManager7.0.0 <= 7.0.10affected
FortinetFortiAnalyzer7.4.0 <= 7.4.1affected
FortinetFortiAnalyzer7.2.0 <= 7.2.4affected
FortinetFortiAnalyzer7.0.0 <= 7.0.10affected

Weaknesses

  • CWE-620: Escalation of privilege

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References