CVE-2024-26013

Summary

A improper restriction of communication channel to intended endpoints vulnerability [CWE-923] in Fortinet FortiOS version 7.4.0 through 7.4.4, 7.2.0 through 7.2.8, 7.0.0 through 7.0.15, 6.4.0 through 6.4.15 and before 6.2.16, Fortinet FortiProxy version 7.4.0 through 7.4.2, 7.2.0 through 7.2.9 and before 7.0.15, Fortinet FortiManager version 7.4.0 through 7.4.2, 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.14 and before 6.2.13, Fortinet FortiAnalyzer version 7.4.0 through 7.4.2, 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.14 and before 6.2.13, Fortinet FortiVoice version 7.0.0 through 7.0.2 before 6.4.8 and Fortinet FortiWeb before 7.4.2 may allow an unauthenticated attacker in a man-in-the-middle position to impersonate the management device (FortiCloud server or/and in certain conditions, FortiManager), via intercepting the FGFM authentication request between the management device and the managed device

Affected Software

VendorProductVersion RangeStatus
FortinetFortiProxy7.4.0 <= 7.4.2affected
FortinetFortiProxy7.2.0 <= 7.2.9affected
FortinetFortiProxy7.0.0 <= 7.0.15affected
FortinetFortiProxy2.0.0 <= 2.0.14affected
FortinetFortiManager7.4.0 <= 7.4.2affected
FortinetFortiManager7.2.0 <= 7.2.4affected
FortinetFortiManager7.0.0 <= 7.0.11affected
FortinetFortiManager6.4.0 <= 6.4.14affected
FortinetFortiManager6.2.0 <= 6.2.13affected
FortinetFortiOS7.4.0 <= 7.4.3affected
FortinetFortiOS7.2.0 <= 7.2.7affected
FortinetFortiOS7.0.0 <= 7.0.14affected
FortinetFortiOS6.4.0 <= 6.4.15affected
FortinetFortiOS6.2.0 <= 6.2.16affected

Weaknesses

  • CWE-923: Improper access control

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References