CVE-2024-48886

EUVD-2024-43226

14.01.2025, 14:15

A weak authentication in Fortinet FortiOS versions 7.4.0 through 7.4.4, 7.2.0 through 7.2.8, 7.0.0 through 7.0.15, 6.4.0 through 6.4.15, FortiProxy versions 7.4.0 through 7.4.4, 7.2.0 through 7.2.10, 7.0.0 through 7.0.17, 2.0.0 through 2.0.14, FortiManager versions 7.6.0 through 7.6.1, 7.4.1 through 7.4.3, FortiManager Cloud versions 7.4.1 through 7.4.3, FortiAnalyzer Cloud versions 7.4.1 through 7.4.3 allows attacker to execute unauthorized code or commands via a brute-force attack.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	9 CRITICAL	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
fortinet	CNA	8 HIGH	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:R

Base Score

CVSS 3.x

EPSS Score

Percentile: 65%

Affected Products (NVD)

Vendor	Product	Version
fortinet	fortianalyzer	7.4.1 ≤ 𝑥 < 7.4.4
fortinet	fortianalyzer	7.6.0 ≤ 𝑥 < 7.6.2
fortinet	fortianalyzer_cloud	7.4.1 ≤ 𝑥 < 7.4.4
fortinet	fortimanager	7.4.1 ≤ 𝑥 < 7.4.4
fortinet	fortimanager	7.6.0 ≤ 𝑥 < 7.6.2
fortinet	fortimanager_cloud	7.4.1 ≤ 𝑥 < 7.4.4
fortinet	fortiproxy	2.0.0 ≤ 𝑥 < 2.0.15
fortinet	fortiproxy	7.0.0 ≤ 𝑥 < 7.0.18
fortinet	fortiproxy	7.2.0 ≤ 𝑥 < 7.2.11
fortinet	fortiproxy	7.4.0 ≤ 𝑥 < 7.4.5
fortinet	fortios	6.4.0 ≤ 𝑥 < 7.0.16
fortinet	fortios	7.2.0 ≤ 𝑥 < 7.2.9
fortinet	fortios	7.4.0 ≤ 𝑥 < 7.4.5

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-1390 - Weak Authentication
The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does not sufficiently prove that the claimed identity is correct.

References

https://fortiguard.fortinet.com/psirt/FG-IR-24-221