Authentication Bypass in Fortinet FortiPortal and FortiManager Products
CVE-2024-35277

7.5HIGH

Key Information:

Vendor: Fortinet
Status: Fortimanager
Vendor: CVE Published:; 14 January 2025

What is CVE-2024-35277?

A vulnerability exists in Fortinet's FortiPortal and FortiManager products due to missing authentication for critical functionality. Attackers can exploit this weakness by sending specially crafted packets to gain unauthorized access to the configuration settings of managed devices. This oversight presents a significant security risk, potentially allowing malicious actors to manipulate device configurations without proper authorization.

Affected Version(s)

FortiManager 7.4.0 <= 7.4.2

FortiManager 7.2.0 <= 7.2.5

FortiManager 7.0.0 <= 7.0.12

References

https://fortiguard.fortinet.com/psirt/FG-IR-24-135

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 14, 2025