CVE-2024-47575

23.10.2024, 15:15

A missing authentication for critical function in FortiManager 7.6.0, FortiManager 7.4.0 through 7.4.4, FortiManager 7.2.0 through 7.2.7, FortiManager 7.0.0 through 7.0.12, FortiManager 6.4.0 through 6.4.14, FortiManager 6.2.0 through 6.2.12, Fortinet FortiManager Cloud 7.4.1 through 7.4.4, FortiManager Cloud 7.2.1 through 7.2.7, FortiManager Cloud 7.0.1 through 7.0.12, FortiManager Cloud 6.4.1 through 6.4.7 allows attacker to execute arbitrary code or commands via specially crafted requests.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
fortinet	CNA	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:U/RC:C
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 99%

Vendor	Product	Version
fortinet	fortimanager	6.2.0 ≤ 𝑥 < 6.2.13
fortinet	fortimanager	6.4.0 ≤ 𝑥 < 6.4.15
fortinet	fortimanager	7.0.0 ≤ 𝑥 < 7.0.13
fortinet	fortimanager	7.2.0 ≤ 𝑥 < 7.2.8
fortinet	fortimanager	7.4.0 ≤ 𝑥 < 7.4.5
fortinet	fortimanager	7.6.0
fortinet	fortimanager_cloud	6.4.1 ≤ 𝑥 ≤ 6.4.7
fortinet	fortimanager_cloud	7.0.1 ≤ 𝑥 < 7.0.13
fortinet	fortimanager_cloud	7.2.1 ≤ 𝑥 < 7.2.8
fortinet	fortimanager_cloud	7.4.1 ≤ 𝑥 < 7.4.5

𝑥

= Vulnerable software versions

Known Exploits!

https://fortiguard.fortinet.com/psirt/FG-IR-24-423

Common Weakness Enumeration

CWE-306 - Missing Authentication for Critical Function
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

References

https://fortiguard.fortinet.com/psirt/FG-IR-24-423