Fortinet
CVE-2024-26009
HIGH
Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
An authentication bypass using an alternate path or channel [CWE-288] vulnerability in Fortinet FortiOS version 6.4.0 through 6.4.15 and before 6.2.16, FortiProxy version 7.4.0 through 7.4.2, 7.2.0 through 7.2.8 and before 7.0.15 & FortiPAM before version 1.2.0 allows an unauthenticated attacker to seize control of a managed device via crafted FGFM requests, if the device is managed by a FortiManager, and if the attacker knows that FortiManager's serial number.
AnalysisAI
Authentication bypass in Fortinet FortiOS 6.2.x-6.4.x, FortiProxy 7.0-7.4, and FortiPAM <1.2.0 allows remote unauthenticated attackers to seize full control of managed devices via crafted FGFM protocol requests when the device is managed by FortiManager and the attacker has obtained the FortiManager serial number. CVSS 8.1 reflects network-based attack with high complexity. EPSS probability of 0.11% suggests limited observed exploitation attempts, and no CISA KEV listing indicates no confirmed widespread active exploitation at time of analysis, though the privileged access granted makes this a critical patch priority for environments using FortiManager centralized management.
Technical ContextAI
The vulnerability exploits the FortiGate-to-FortiManager (FGFM) protocol, which is Fortinet's proprietary channel for centralized device management. CWE-288 (Authentication Bypass Using an Alternate Path or Channel) indicates the flaw allows attackers to circumvent normal authentication by sending specially crafted FGFM requests that impersonate legitimate FortiManager commands. The affected products span FortiOS (firewall operating system on versions 6.2.0-6.2.15 and 6.4.0-6.4.15), FortiProxy (secure web gateway on versions 7.0.0-7.0.14, 7.2.0-7.2.8, and 7.4.0-7.4.2), FortiPAM (privileged access management on versions prior to 1.2.0), and FortiSwitchManager. The attack vector (AV:N) confirms exploitation over standard networks, while high attack complexity (AC:H) reflects the prerequisite knowledge requirement of the managing FortiManager's serial number-a non-trivial but obtainable piece of information through reconnaissance, misconfigurations, or prior compromise.
RemediationAI
Upgrade to patched versions immediately for FortiManager-managed deployments: FortiOS 6.4.16 or later (or migrate to 7.0+ branches which are unaffected in the 6.x series, specifically upgrade 6.2.x to 6.2.16 or later), FortiProxy 7.4.3+ or 7.2.9+ or 7.0.15+, and FortiPAM 1.2.0 or later as specified in Fortinet advisory FG-IR-24-042 (https://fortiguard.fortinet.com/psirt/FG-IR-24-042). Compensating controls for environments unable to patch immediately: disable FortiManager connectivity on managed devices until patching is complete (trade-off: loss of centralized management and policy synchronization), implement strict network segmentation to limit FGFM protocol access (typically TCP/541) only from verified FortiManager IP addresses via firewall ACLs (trade-off: requires manual firewall rule updates and doesn't prevent attacks from compromised FortiManager network segments), and rotate FortiManager serial numbers if procedurally feasible though this requires FortiManager reconfiguration and device re-enrollment (significant operational overhead). Monitor FGFM connection logs for unexpected source IPs or unusual command patterns as detection layer. Standalone devices not managed by FortiManager are not vulnerable to this specific attack path but should still be patched as part of standard maintenance cycles.
Fortinet FortiWeb contains a relative path traversal allowing unauthenticated attackers to execute administrative comman
FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote
Fortinet FortiWeb contains an authenticated OS command injection allowing privilege escalation to execute unauthorized c
Fortinet FortiAnalyzer before 5.0.12 and 5.2.x before 5.2.5; FortiSwitch 3.3.x before 3.3.3; FortiCache 3.0.x before 3.0
Buffer overflow in the Cookie parser in Fortinet FortiOS 4.x before 4.1.11, 4.2.x before 4.2.13, and 4.3.x before 4.3.9
A product has a SQL injection vulnerability enabling unauthenticated database compromise through improperly neutralized
Remote code execution in Fortinet FortiClientEMS versions 7.4.5 through 7.4.6 allows unauthenticated attackers to execut
An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in
Fortinet FortiAnalyzer and FortiManager contain a critical authentication bypass vulnerability (CVE-2026-24858, CVSS 9.8
Authentication bypass in Fortinet FortiOS, FortiProxy, and FortiSwitchManager allows unauthenticated remote attackers to
The Gzip file parser in AVG Anti-Virus 10.0.0.1190, Bitdefender 7.2, Command Antivirus 5.2.11.5, Emsisoft Anti-Malware 5
The TAR file parser in AhnLab V3 Internet Security 2011.01.18.00, Avira AntiVir 7.11.1.163, Antiy Labs AVL SDK 2.0.3.7,
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today