Skip to main content

Fortiportal CVE-2024-40590

MEDIUM
Improper Certificate Validation (CWE-295)
2025-03-14 psirt@fortinet.com
4.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.8 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Mar 28, 2026 - 18:31 vuln.today
CVE Published
Mar 14, 2025 - 15:15 nvd
MEDIUM 4.8

DescriptionCVE.org

An improper certificate validation vulnerability [CWE-295] in FortiPortal version 7.4.0, version 7.2.4 and below, version 7.0.8 and below, version 6.0.15 and below when connecting to a FortiManager device, a FortiAnalyzer device, or an SMTP server may allow an unauthenticated attacker in a Man-in-the-Middle position to intercept on and tamper with the encrypted communication channel established between the FortiPortal and those endpoints.

AnalysisAI

An improper certificate validation vulnerability [CWE-295] in FortiPortal version 7.4.0, version 7.2.4 and below, version 7.0.8 and below, version 6.0.15 and below when connecting to a FortiManager. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-295. An improper certificate validation vulnerability [CWE-295] in FortiPortal version 7.4.0, version 7.2.4 and below, version 7.0.8 and below, version 6.0.15 and below when connecting to a FortiManager device, a FortiAnalyzer device, or an SMTP server may allow an unauthenticated attacker in a Man-in-the-Middle position to intercept on and tamper with the encrypted communication channel established between the FortiPortal and those endpoints. Affected products include: Fortinet Fortiportal. Version information: version 7.4.0.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2024-26011 CRITICAL
9.8 Nov 12

A missing authentication for critical function in Fortinet FortiManager version 7.4.0 through 7.4.2, 7.2.0 through 7.2.4

CVE-2021-32588 CRITICAL
9.8 Aug 18

A use of hard-coded credentials (CWE-798) vulnerability in FortiPortal versions 5.2.5 and below, 5.3.5 and below, 6.0.4

CVE-2017-7337 CRITICAL
9.1 May 27

An improper Access Control vulnerability in Fortinet FortiPortal versions 4.0.0 and below allows an attacker to interact

CVE-2023-48791 HIGH
8.8 Dec 13

An improper neutralization of special elements used in a command ('Command Injection') vulnerability [CWE-77] in FortiPo

CVE-2021-32590 HIGH
8.8 Aug 04

Multiple improper neutralization of special elements used in an SQL command vulnerabilities in FortiPortal 6.0.0 through

CVE-2025-24470 HIGH
8.6 Feb 11

An Improper Resolution of Path Equivalence vulnerability [CWE-41] in FortiPortal 7.4.0 through 7.4.2, 7.2.0 through 7.2.

CVE-2021-36172 HIGH
8.1 Nov 02

An improper restriction of XML external entity reference vulnerability in the parser of XML responses of FortiPortal bef

CVE-2021-32594 HIGH
8.1 Aug 04

An unrestricted file upload vulnerability in the web interface of FortiPortal 6.0.0 through 6.0.4, 5.3.0 through 5.3.5,

CVE-2017-7338 HIGH
7.5 May 27

A password management vulnerability in Fortinet FortiPortal versions 4.0.0 and below allows an attacker to carry out inf

CVE-2017-7731 HIGH
7.5 May 27

A weak password recovery vulnerability in Fortinet FortiPortal versions 4.0.0 and below allows attacker to carry out inf

CVE-2024-23105 HIGH
7.5 May 14

A Use Of Less Trusted Source [CWE-348] vulnerability in Fortinet FortiPortal version 7.0.0 through 7.0.6 and version 7.2

CVE-2021-36174 HIGH
7.5 Nov 02

A memory allocation with excessive size value vulnerability in the license verification function of FortiPortal before 6

Share

CVE-2024-40590 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy