FortiClient Zero-Day Vulnerability Allows Remote Man-in-the-Middle Attacks

CVE-2024-31489

8.1HIGH

Key Information

Vendor
Fortinet
Status
Forticlientmac
Forticlientems
Forticlientlinux
Forticlientwindows
Vendor
CVE Published:
10 September 2024

Summary

AAn improper certificate validation vulnerability [CWE-295] in FortiClientWindows 7.2.0 through 7.2.2, 7.0.0 through 7.0.11, FortiClientLinux 7.2.0, 7.0.0 through 7.0.11 and FortiClientMac 7.0.0 through 7.0.11, 7.2.0 through 7.2.4 may allow a remote and unauthenticated attacker to perform a Man-in-the-Middle attack on the communication channel between the FortiGate and the FortiClient during the ZTNA tunnel creation

Affected Version(s)

FortiClientMac <= 7.2.4

FortiClientMac <= 7.0.11

FortiClientEMS <= 7.0.13

Refferences

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database
.