CVE-2024-26009
Unknown
Unknown - Not Provided
BaseFortify
Publication date: 2025-08-12
Last updated on: 2026-04-20
Assigner: Fortinet, Inc.
Description
Description
An authentication bypass using an alternate path or channel [CWE-288] vulnerability in Fortinet FortiOS 6.4.0 through 6.4.15, FortiOS 6.2.0 through 6.2.16, FortiOS 6.0 all versions, FortiPAM 1.2.0, FortiPAM 1.1.0 through 1.1.2, FortiPAM 1.0.0 through 1.0.3, FortiProxy 7.4.0 through 7.4.2, FortiProxy 7.2.0 through 7.2.8, FortiProxy 7.0.0 through 7.0.15, FortiSwitchManager 7.2.0 through 7.2.3, FortiSwitchManager 7.0.0 through 7.0.3 allows an unauthenticated attacker to seize control of a managed device via crafted FGFM requests, if the device is managed by a FortiManager, and if the attacker knows that FortiManager's serial number.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fortinet | fortiproxy | From 7.6.0 (inc) to 7.6.4 (inc) |
| fortinet | fortiproxy | From 7.6.0 (inc) to 7.6.4 (inc) |
| fortinet | fortiproxy | From 7.6.0 (inc) to 7.6.4 (inc) |
| fortinet | fortios | From 7.4.0 (inc) to 7.4.9 (inc) |
| fortinet | fortiswitchmanager | From 7.2.0 (inc) to 7.2.7 (inc) |
| fortinet | fortiswitchmanager | From 7.2.0 (inc) to 7.2.7 (inc) |
| fortinet | fortipam | From 1.0.0 (inc) to 1.2.0 (inc) |
| fortinet | fortios | From 7.4.0 (inc) to 7.4.9 (inc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-288 | The product requires authentication, but the product has an alternate path or channel that does not require authentication. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an authentication bypass in Fortinet FortiOS, FortiProxy, and FortiPAM devices. It allows an unauthenticated attacker to take control of a managed device by sending specially crafted FGFM requests if the device is managed by a FortiManager and the attacker knows the FortiManager's serial number.
How can this vulnerability impact me? :
The vulnerability can allow an attacker to gain unauthorized control over managed devices, potentially leading to full compromise of the device's confidentiality, integrity, and availability.
Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70