How to fix CVE-2024-40590?

Within 30 days: Identify affected systems running FortiPortal and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.

Is Fortiportal affected by CVE-2024-40590?

Organizations using FortiPortal should be aware of moderate risk from CVE-2024-40590 rated CVSS 4.8. Exploitation could compromise the security of affected deployments. Organizations should apply vendor updates when available and monitor for exploitation.

Fortiportal CVE-2024-40590

MEDIUM

Improper Certificate Validation (CWE-295)

2025-03-14 [email protected]

Information Disclosure Fortiportal

4.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:31 vuln.today

CVE Published

Mar 14, 2025 - 15:15 nvd

MEDIUM 4.8

DescriptionNVD

An improper certificate validation vulnerability [CWE-295] in FortiPortal version 7.4.0, version 7.2.4 and below, version 7.0.8 and below, version 6.0.15 and below when connecting to a FortiManager device, a FortiAnalyzer device, or an SMTP server may allow an unauthenticated attacker in a Man-in-the-Middle position to intercept on and tamper with the encrypted communication channel established between the FortiPortal and those endpoints.

AnalysisAI

An improper certificate validation vulnerability [CWE-295] in FortiPortal version 7.4.0, version 7.2.4 and below, version 7.0.8 and below, version 6.0.15 and below when connecting to a FortiManager. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-295. An improper certificate validation vulnerability [CWE-295] in FortiPortal version 7.4.0, version 7.2.4 and below, version 7.0.8 and below, version 6.0.15 and below when connecting to a FortiManager device, a FortiAnalyzer device, or an SMTP server may allow an unauthenticated attacker in a Man-in-the-Middle position to intercept on and tamper with the encrypted communication channel established between the FortiPortal and those endpoints. Affected products include: Fortinet Fortiportal. Version information: version 7.4.0.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2024-40590 vulnerability details – vuln.today

Back

Fortiportal CVE-2024-40590

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code