9.8
CVE-2024-47575
- EPSS 91.38%
- Published 23.10.2024 15:15:30
- Last modified 08.11.2024 21:16:28
- Source psirt@fortinet.com
- Teams watchlist Login
- Open Login
A missing authentication for critical function in FortiManager 7.6.0, FortiManager 7.4.0 through 7.4.4, FortiManager 7.2.0 through 7.2.7, FortiManager 7.0.0 through 7.0.12, FortiManager 6.4.0 through 6.4.14, FortiManager 6.2.0 through 6.2.12, Fortinet FortiManager Cloud 7.4.1 through 7.4.4, FortiManager Cloud 7.2.1 through 7.2.7, FortiManager Cloud 7.0.1 through 7.0.12, FortiManager Cloud 6.4.1 through 6.4.7 allows attacker to execute arbitrary code or commands via specially crafted requests.
Data is provided by the National Vulnerability Database (NVD)
Fortinet ≫ Fortimanager Version >= 6.2.0 < 6.2.13
Fortinet ≫ Fortimanager Version >= 6.4.0 < 6.4.15
Fortinet ≫ Fortimanager Version >= 7.0.0 < 7.0.13
Fortinet ≫ Fortimanager Version >= 7.2.0 < 7.2.8
Fortinet ≫ Fortimanager Version >= 7.4.0 < 7.4.5
Fortinet ≫ Fortimanager Version7.6.0
Fortinet ≫ Fortimanager Cloud Version >= 6.4.1 <= 6.4.7
Fortinet ≫ Fortimanager Cloud Version >= 7.0.1 < 7.0.13
Fortinet ≫ Fortimanager Cloud Version >= 7.2.1 < 7.2.8
Fortinet ≫ Fortimanager Cloud Version >= 7.4.1 < 7.4.5
23.10.2024: CISA Known Exploited Vulnerabilities (KEV) Catalog
Fortinet FortiManager Missing Authentication Vulnerability
VulnerabilityFortinet FortiManager contains a missing authentication vulnerability in the fgfmd daemon that allows a remote, unauthenticated attacker to execute arbitrary code or commands via specially crafted requests.
DescriptionApply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Required actions| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 91.38% | 0.996 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| psirt@fortinet.com | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
CWE-306 Missing Authentication for Critical Function
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.