CVE-2024-50565

Medienbericht

EPSS 0.06%
Veröffentlicht 08.04.2025 14:15:31
Zuletzt bearbeitet 25.07.2025 15:22:38
Quelle psirt@fortinet.com
Teams Watchlist Login
Unerledigt Login

A improper restriction of communication channel to intended endpoints vulnerability [CWE-923] in Fortinet FortiOS version 7.4.0 through 7.4.3, 7.2.0 through 7.2.7, 7.0.0 through 7.0.14, 6.4.0 through 6.4.15 and 6.2.0 through 6.2.16, Fortinet FortiProxy version 7.4.0 through 7.4.2, 7.2.0 through 7.2.9, 7.0.0 through 7.0.15 and 2.0.0 through 2.0.14, Fortinet FortiManager version 7.4.0 through 7.4.2, 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.14 and 6.2.0 through 6.2.13, Fortinet FortiAnalyzer version 7.4.0 through 7.4.2, 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.14 and 6.2.0 through 6.2.13, Fortinet FortiVoice version 7.0.0 through 7.0.2, 6.4.0 through 6.4.8 and 6.0.0 through 6.0.12 and Fortinet FortiWeb version 7.4.0 through 7.4.2, 7.2.0 through 7.2.10, 7.0.0 through 7.0.10 allows an unauthenticated attacker in a man-in-the-middle position to impersonate the management device (FortiCloud server or/and in certain conditions, FortiManager), via intercepting the FGFM authentication request between the management device and the managed device

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Fortinet ≫ Fortiweb Version >= 7.4.0 < 7.4.3

Fortinet ≫ Fortivoice Version >= 6.0.0 < 6.4.9

Fortinet ≫ Fortivoice Version >= 7.0.0 < 7.0.3

Fortinet ≫ Fortiproxy Version >= 2.0.0 < 7.0.16

Fortinet ≫ Fortiproxy Version >= 7.2.0 < 7.2.10

Fortinet ≫ Fortiproxy Version >= 7.4.0 < 7.4.3

Fortinet ≫ Fortios Version >= 6.4.0 < 7.0.16

Fortinet ≫ Fortios Version >= 7.2.0 < 7.2.9

Fortinet ≫ Fortios Version >= 7.4.0 < 7.4.5

Fortinet ≫ Fortimanager Version >= 6.2.0 < 6.2.14

Fortinet ≫ Fortimanager Version >= 6.4.0 < 6.4.15

Fortinet ≫ Fortimanager Version >= 7.0.0 < 7.0.12

Fortinet ≫ Fortimanager Version >= 7.2.0 < 7.2.5

Fortinet ≫ Fortimanager Version >= 7.4.0 < 7.4.3

Fortinet ≫ Fortianalyzer Version >= 6.2.0 < 6.2.14

Fortinet ≫ Fortianalyzer Version >= 6.4.0 < 6.4.15

Fortinet ≫ Fortianalyzer Version >= 7.0.0 < 7.0.12

Fortinet ≫ Fortianalyzer Version >= 7.2.0 < 7.2.5

Fortinet ≫ Fortianalyzer Version >= 7.4.0 < 7.4.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.06%	0.203

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	1.6	5.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
psirt@fortinet.com	3.1	1.6	1.4	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N

CWE-300 Channel Accessible by Non-Endpoint

The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.

https://www.heise.de/news/Fortinet-stopft-Sicherheitsluecken-in-mehreren-Produkten-10346388.html

Medienbericht

heise Security

https://fortiguard.fortinet.com/psirt/FG-IR-24-046

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-50565

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-50565

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-50565

EUVD