CVE-2024-52965
BaseFortify
Publication date: 2025-07-08
Last updated on: 2025-07-22
Assigner: Fortinet, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fortinet | fortiproxy | From 7.6.0 (inc) to 7.6.4 (inc) |
| fortinet | fortiproxy | From 7.6.0 (inc) to 7.6.4 (inc) |
| fortinet | fortiproxy | From 7.6.0 (inc) to 7.6.4 (inc) |
| fortinet | fortiproxy | From 7.6.0 (inc) to 7.6.4 (inc) |
| fortinet | fortios | From 7.4.0 (inc) to 7.4.9 (inc) |
| fortinet | fortios | From 7.4.0 (inc) to 7.4.9 (inc) |
| fortinet | fortios | From 7.4.0 (inc) to 7.4.9 (inc) |
| fortinet | fortios | 7.6.0 |
| fortinet | fortios | 7.6.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-NVD-CWE-Other | |
| CWE-304 | The product implements an authentication technique, but it skips a step that weakens the technique. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a missing critical step in the authentication process in certain versions of Fortinet FortiOS and FortiProxy. It allows an API user who authenticates using an API key combined with a PKI user certificate to log in even if the certificate is invalid, effectively bypassing proper certificate validation.
How can this vulnerability impact me? :
This vulnerability can allow unauthorized access to systems by bypassing certificate validation during authentication. An attacker with an API key could gain high-privilege access despite using an invalid certificate, potentially leading to full compromise of confidentiality, integrity, and availability of the affected systems.