CVE-2024-50565

Media report

EPSS 0.06%
Published 08.04.2025 14:15:31
Last modified 25.07.2025 15:22:38
Source psirt@fortinet.com
Teams watchlist Login
Open Login

A improper restriction of communication channel to intended endpoints vulnerability [CWE-923] in Fortinet FortiOS version 7.4.0 through 7.4.3, 7.2.0 through 7.2.7, 7.0.0 through 7.0.14, 6.4.0 through 6.4.15 and 6.2.0 through 6.2.16, Fortinet FortiProxy version 7.4.0 through 7.4.2, 7.2.0 through 7.2.9, 7.0.0 through 7.0.15 and 2.0.0 through 2.0.14, Fortinet FortiManager version 7.4.0 through 7.4.2, 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.14 and 6.2.0 through 6.2.13, Fortinet FortiAnalyzer version 7.4.0 through 7.4.2, 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.14 and 6.2.0 through 6.2.13, Fortinet FortiVoice version 7.0.0 through 7.0.2, 6.4.0 through 6.4.8 and 6.0.0 through 6.0.12 and Fortinet FortiWeb version 7.4.0 through 7.4.2, 7.2.0 through 7.2.10, 7.0.0 through 7.0.10 allows an unauthenticated attacker in a man-in-the-middle position to impersonate the management device (FortiCloud server or/and in certain conditions, FortiManager), via intercepting the FGFM authentication request between the management device and the managed device

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

This information is available to logged-in users.

Data is provided by the National Vulnerability Database (NVD)

Fortinet ≫ Fortiweb Version >= 7.4.0 < 7.4.3

Fortinet ≫ Fortivoice Version >= 6.0.0 < 6.4.9

Fortinet ≫ Fortivoice Version >= 7.0.0 < 7.0.3

Fortinet ≫ Fortiproxy Version >= 2.0.0 < 7.0.16

Fortinet ≫ Fortiproxy Version >= 7.2.0 < 7.2.10

Fortinet ≫ Fortiproxy Version >= 7.4.0 < 7.4.3

Fortinet ≫ Fortios Version >= 6.4.0 < 7.0.16

Fortinet ≫ Fortios Version >= 7.2.0 < 7.2.9

Fortinet ≫ Fortios Version >= 7.4.0 < 7.4.5

Fortinet ≫ Fortimanager Version >= 6.2.0 < 6.2.14

Fortinet ≫ Fortimanager Version >= 6.4.0 < 6.4.15

Fortinet ≫ Fortimanager Version >= 7.0.0 < 7.0.12

Fortinet ≫ Fortimanager Version >= 7.2.0 < 7.2.5

Fortinet ≫ Fortimanager Version >= 7.4.0 < 7.4.3

Fortinet ≫ Fortianalyzer Version >= 6.2.0 < 6.2.14

Fortinet ≫ Fortianalyzer Version >= 6.4.0 < 6.4.15

Fortinet ≫ Fortianalyzer Version >= 7.0.0 < 7.0.12

Fortinet ≫ Fortianalyzer Version >= 7.2.0 < 7.2.5

Fortinet ≫ Fortianalyzer Version >= 7.4.0 < 7.4.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.06%	0.203

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	1.6	5.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
psirt@fortinet.com	3.1	1.6	1.4	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N

CWE-300 Channel Accessible by Non-Endpoint

The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.

https://www.heise.de/news/Fortinet-stopft-Sicherheitsluecken-in-mehreren-Produkten-10346388.html

Medienbericht

heise Security

https://fortiguard.fortinet.com/psirt/FG-IR-24-046

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-50565

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-50565

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-50565

EUVD