CVE-2024-26013

Media report

EPSS 0.07%
Published 08.04.2025 14:15:30
Last modified 25.07.2025 15:22:20
Source psirt@fortinet.com
Teams watchlist Login
Open Login

A improper restriction of communication channel to intended endpoints vulnerability [CWE-923] in Fortinet FortiOS version 7.4.0 through 7.4.4, 7.2.0 through 7.2.8, 7.0.0 through 7.0.15, 6.4.0 through 6.4.15 and before 6.2.16, Fortinet FortiProxy version 7.4.0 through 7.4.2, 7.2.0 through 7.2.9 and before 7.0.15, Fortinet FortiManager version 7.4.0 through 7.4.2, 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.14 and before 6.2.13, Fortinet FortiAnalyzer version 7.4.0 through 7.4.2, 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.14 and before 6.2.13, Fortinet FortiVoice version 7.0.0 through 7.0.2 before 6.4.8 and Fortinet FortiWeb before 7.4.2 may allow an unauthenticated attacker in a man-in-the-middle position to impersonate the management device (FortiCloud server or/and in certain conditions, FortiManager), via intercepting the FGFM authentication request between the management device and the managed device

Affected products Warnungen 0 Metrics 2 CWE 1 References 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

This information is available to logged-in users.

Data is provided by the National Vulnerability Database (NVD)

Fortinet ≫ Fortianalyzer Version >= 6.2.0 < 6.2.14

Fortinet ≫ Fortianalyzer Version >= 6.4.0 < 6.4.15

Fortinet ≫ Fortianalyzer Version >= 7.0.0 < 7.0.12

Fortinet ≫ Fortianalyzer Version >= 7.2.0 < 7.2.5

Fortinet ≫ Fortianalyzer Version >= 7.4.0 < 7.4.3

Fortinet ≫ Fortimanager Version >= 6.2.0 < 6.2.14

Fortinet ≫ Fortimanager Version >= 6.4.0 < 6.4.15

Fortinet ≫ Fortimanager Version >= 7.0.0 < 7.0.12

Fortinet ≫ Fortimanager Version >= 7.2.0 < 7.2.5

Fortinet ≫ Fortimanager Version >= 7.4.0 < 7.4.3

Fortinet ≫ Fortios Version >= 6.4.0 < 7.0.16

Fortinet ≫ Fortios Version >= 7.2.0 < 7.2.9

Fortinet ≫ Fortios Version >= 7.4.0 < 7.4.5

Fortinet ≫ Fortiproxy Version >= 2.0.0 < 7.0.16

Fortinet ≫ Fortiproxy Version >= 7.2.0 < 7.2.10

Fortinet ≫ Fortiproxy Version >= 7.4.0 < 7.4.3

Fortinet ≫ Fortivoice Version >= 6.0.0 < 6.4.9

Fortinet ≫ Fortivoice Version >= 7.0.0 < 7.0.3

Fortinet ≫ Fortiweb Version >= 7.4.0 < 7.4.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.07%	0.216

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
psirt@fortinet.com	7.5	1.6	5.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE-923 Improper Restriction of Communication Channel to Intended Endpoints

The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint.

https://www.heise.de/news/Fortinet-stopft-Sicherheitsluecken-in-mehreren-Produkten-10346388.html

Medienbericht

heise Security

https://fortiguard.fortinet.com/psirt/FG-IR-24-046

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-26013

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-26013

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-26013

EUVD