HIGH🇵🇱 Wersja polska

CVE-2024-26013

CVSS 7.5v3.1pub. 2025-04-08upd. 2025-07-25

A improper restriction of communication channel to intended endpoints vulnerability [CWE-923] in Fortinet FortiOS version 7.4.0 through 7.4.4, 7.2.0 through 7.2.8, 7.0.0 through 7.0.15, 6.4.0 through 6.4.15 and before 6.2.16, Fortinet FortiProxy version 7.4.0 through 7.4.2, 7.2.0 through 7.2.9 and before 7.0.15, Fortinet FortiManager version 7.4.0 through 7.4.2, 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.14 and before 6.2.13, Fortinet FortiAnalyzer version 7.4.0 through 7.4.2, 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.14 and before 6.2.13, Fortinet FortiVoice version 7.0.0 through 7.0.2 before 6.4.8 and Fortinet FortiWeb before 7.4.2 may allow an unauthenticated attacker in a man-in-the-middle position to impersonate the management device (FortiCloud server or/and in certain conditions, FortiManager), via intercepting the FGFM authentication request between the management device and the managed device

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
  • Fortinet Fortianalyzer

    APP
    Fortinet
    6.2.0 – 6.2.14 (bez)6.4.0 – 6.4.15 (bez)7.0.0 – 7.0.12 (bez)7.2.0 – 7.2.5 (bez)7.4.0 – 7.4.3 (bez)
  • Fortinet Fortimanager

    APP
    Fortinet
    6.2.0 – 6.2.14 (bez)6.4.0 – 6.4.15 (bez)7.0.0 – 7.0.12 (bez)7.2.0 – 7.2.5 (bez)7.4.0 – 7.4.3 (bez)
  • Fortinet FortiOS

    OS
    Fortinet
    6.4.0 – 7.0.16 (bez)7.2.0 – 7.2.9 (bez)7.4.0 – 7.4.5 (bez)
  • Fortinet Fortiproxy

    APP
    Fortinet
    2.0.0 – 7.0.16 (bez)7.2.0 – 7.2.10 (bez)7.4.0 – 7.4.3 (bez)
  • Fortinet Fortivoice

    APP
    Fortinet
    6.0.0 – 6.4.9 (bez)7.0.0 – 7.0.3 (bez)
  • Fortinet Fortiweb

    APP
    Fortinet
    7.4.0 – 7.4.3 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth BypassFirewall
CWE
References

Related vulnerabilities

CVE-2026-24858CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Fortinet – Auth Bypass przez FortiCloud SSO w wielu produktach

CVE-2025-59718CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Fortinet FortiOS/FortiProxy/FortiSwitchManager — Auth Bypass przez SAML

CVE-2025-64446CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Path Traversal w Fortinet FortiWeb umożliwiający zdalne wykonanie poleceń

CVE-2025-25257CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Krytyczna podatność SQL Injection w Fortinet FortiWeb — obejście uwierzytelnienia

CVE-2025-32756CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Stack-based buffer overflow RCE w produktach Fortinet (FortiMail, FortiVoice i inne)