Authentication Bypass in Fortinet FortiPortal and FortiManager Products
CVE-2024-35277

8.4HIGH

Key Information:

Vendor: Fortinet
Status: Fortimanager
Vendor: CVE Published:; 14 January 2025

Summary

A vulnerability exists in Fortinet's FortiPortal and FortiManager products due to missing authentication for critical functionality. Attackers can exploit this weakness by sending specially crafted packets to gain unauthorized access to the configuration settings of managed devices. This oversight presents a significant security risk, potentially allowing malicious actors to manipulate device configurations without proper authorization.

Affected Version(s)

FortiManager 7.4.0 <= 7.4.2

FortiManager 7.2.0 <= 7.2.5

FortiManager 7.0.0 <= 7.0.12

References

https://fortiguard.fortinet.com/psirt/FG-IR-24-135

CVSS V3.1

Score:

8.4

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Jan 14, 2025