Improper Communication Channel Restriction in Fortinet FortiOS and Related Products
CVE-2024-26013

7.1HIGH

Key Information:

Vendor
Fortinet
Status
Fortiproxy
Fortimanager
FortiOS
Vendor
CVE Published:
8 April 2025

Summary

An improper restriction of communication channel vulnerability in Fortinet products allows unauthenticated attackers positioned in a man-in-the-middle role to impersonate vital management devices, such as FortiCloud or FortiManager, by intercepting FGFM authentication requests between managed and management devices. This flaw affects multiple versions of FortiOS, FortiProxy, FortiManager, FortiAnalyzer, FortiVoice, and FortiWeb, potentially leading to unauthorized access and control over network configurations.

Affected Version(s)

FortiManager 7.4.0 <= 7.4.2

FortiManager 7.2.0 <= 7.2.4

FortiManager 7.0.0 <= 7.0.11

References

https://fortiguard.fortinet.com/psirt/FG-IR-24-046

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2024-26013 : Improper Communication Channel Restriction in Fortinet FortiOS and Related Products | SecurityVulnerability.io