Skip to main content

Fortinet CVE-2024-26009

HIGH
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2025-08-12 psirt@fortinet.com
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Updated
Apr 20, 2026 - 09:45 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 20, 2026 - 09:37 vuln.today
cvss_changed
Analysis Generated
Mar 28, 2026 - 19:06 vuln.today
CVE Published
Aug 12, 2025 - 19:15 nvd
HIGH 8.1

DescriptionCVE.org

An authentication bypass using an alternate path or channel [CWE-288] vulnerability in Fortinet FortiOS version 6.4.0 through 6.4.15 and before 6.2.16, FortiProxy version 7.4.0 through 7.4.2, 7.2.0 through 7.2.8 and before 7.0.15 & FortiPAM before version 1.2.0 allows an unauthenticated attacker to seize control of a managed device via crafted FGFM requests, if the device is managed by a FortiManager, and if the attacker knows that FortiManager's serial number.

AnalysisAI

Authentication bypass in Fortinet FortiOS 6.2.x-6.4.x, FortiProxy 7.0-7.4, and FortiPAM <1.2.0 allows remote unauthenticated attackers to seize full control of managed devices via crafted FGFM protocol requests when the device is managed by FortiManager and the attacker has obtained the FortiManager serial number. CVSS 8.1 reflects network-based attack with high complexity. EPSS probability of 0.11% suggests limited observed exploitation attempts, and no CISA KEV listing indicates no confirmed widespread active exploitation at time of analysis, though the privileged access granted makes this a critical patch priority for environments using FortiManager centralized management.

Technical ContextAI

The vulnerability exploits the FortiGate-to-FortiManager (FGFM) protocol, which is Fortinet's proprietary channel for centralized device management. CWE-288 (Authentication Bypass Using an Alternate Path or Channel) indicates the flaw allows attackers to circumvent normal authentication by sending specially crafted FGFM requests that impersonate legitimate FortiManager commands. The affected products span FortiOS (firewall operating system on versions 6.2.0-6.2.15 and 6.4.0-6.4.15), FortiProxy (secure web gateway on versions 7.0.0-7.0.14, 7.2.0-7.2.8, and 7.4.0-7.4.2), FortiPAM (privileged access management on versions prior to 1.2.0), and FortiSwitchManager. The attack vector (AV:N) confirms exploitation over standard networks, while high attack complexity (AC:H) reflects the prerequisite knowledge requirement of the managing FortiManager's serial number-a non-trivial but obtainable piece of information through reconnaissance, misconfigurations, or prior compromise.

RemediationAI

Upgrade to patched versions immediately for FortiManager-managed deployments: FortiOS 6.4.16 or later (or migrate to 7.0+ branches which are unaffected in the 6.x series, specifically upgrade 6.2.x to 6.2.16 or later), FortiProxy 7.4.3+ or 7.2.9+ or 7.0.15+, and FortiPAM 1.2.0 or later as specified in Fortinet advisory FG-IR-24-042 (https://fortiguard.fortinet.com/psirt/FG-IR-24-042). Compensating controls for environments unable to patch immediately: disable FortiManager connectivity on managed devices until patching is complete (trade-off: loss of centralized management and policy synchronization), implement strict network segmentation to limit FGFM protocol access (typically TCP/541) only from verified FortiManager IP addresses via firewall ACLs (trade-off: requires manual firewall rule updates and doesn't prevent attacks from compromised FortiManager network segments), and rotate FortiManager serial numbers if procedurally feasible though this requires FortiManager reconfiguration and device re-enrollment (significant operational overhead). Monitor FGFM connection logs for unexpected source IPs or unusual command patterns as detection layer. Standalone devices not managed by FortiManager are not vulnerable to this specific attack path but should still be patched as part of standard maintenance cycles.

CVE-2025-64446 CRITICAL POC
9.8 Nov 14

Fortinet FortiWeb contains a relative path traversal allowing unauthenticated attackers to execute administrative comman

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2025-58034 HIGH POC
7.2 Nov 18

Fortinet FortiWeb contains an authenticated OS command injection allowing privilege escalation to execute unauthorized c

CVE-2016-1909 CRITICAL POC
9.8 Jan 15

Fortinet FortiAnalyzer before 5.0.12 and 5.2.x before 5.2.5; FortiSwitch 3.3.x before 3.3.3; FortiCache 3.0.x before 3.0

CVE-2016-6909 CRITICAL POC
9.8 Aug 24

Buffer overflow in the Cookie parser in Fortinet FortiOS 4.x before 4.1.11, 4.2.x before 4.2.13, and 4.3.x before 4.3.9

CVE-2026-21643 CRITICAL POC
9.8 Feb 06

A product has a SQL injection vulnerability enabling unauthenticated database compromise through improperly neutralized

CVE-2026-35616 CRITICAL POC
9.8 Apr 04

Remote code execution in Fortinet FortiClientEMS versions 7.4.5 through 7.4.6 allows unauthenticated attackers to execut

CVE-2025-25256 CRITICAL POC
9.8 Aug 12

An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in

CVE-2026-24858 CRITICAL
9.8 Jan 27

Fortinet FortiAnalyzer and FortiManager contain a critical authentication bypass vulnerability (CVE-2026-24858, CVSS 9.8

CVE-2025-59718 CRITICAL
9.8 Dec 09

Authentication bypass in Fortinet FortiOS, FortiProxy, and FortiSwitchManager allows unauthenticated remote attackers to

CVE-2012-1461 MEDIUM
4.3 Mar 21

The Gzip file parser in AVG Anti-Virus 10.0.0.1190, Bitdefender 7.2, Command Antivirus 5.2.11.5, Emsisoft Anti-Malware 5

CVE-2012-1459 MEDIUM
4.3 Mar 21

The TAR file parser in AhnLab V3 Internet Security 2011.01.18.00, Avira AntiVir 7.11.1.163, Antiy Labs AVL SDK 2.0.3.7,

Share

CVE-2024-26009 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy