Vulnerability Description
An authentication bypass using an alternate path or channel [CWE-288] vulnerability in Fortinet FortiOS 6.4.0 through 6.4.15, FortiOS 6.2.0 through 6.2.16, FortiOS 6.0 all versions, FortiPAM 1.2.0, FortiPAM 1.1.0 through 1.1.2, FortiPAM 1.0.0 through 1.0.3, FortiProxy 7.4.0 through 7.4.2, FortiProxy 7.2.0 through 7.2.8, FortiProxy 7.0.0 through 7.0.15, FortiSwitchManager 7.2.0 through 7.2.3, FortiSwitchManager 7.0.0 through 7.0.3 allows an unauthenticated attacker to seize control of a managed device via crafted FGFM requests, if the device is managed by a FortiManager, and if the attacker knows that FortiManager's serial number.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Fortinet | Fortiswitchmanager | >= 7.0.0, < 7.0.4 |
| Fortinet | Fortiproxy | >= 7.0.0, < 7.0.16 |
| Fortinet | Fortipam | >= 1.0.0, <= 1.2.0 |
| Fortinet | Fortios | >= 6.0.0, < 6.2.17 |
Related Weaknesses (CWE)
References
- https://fortiguard.fortinet.com/psirt/FG-IR-24-042Vendor Advisory
FAQ
What is CVE-2024-26009?
CVE-2024-26009 is a vulnerability with a CVSS score of 8.1 (HIGH). An authentication bypass using an alternate path or channel [CWE-288] vulnerability in Fortinet FortiOS 6.4.0 through 6.4.15, FortiOS 6.2.0 through 6.2.16, FortiOS 6.0 all versions, FortiPAM 1.2.0, Fo...
How severe is CVE-2024-26009?
CVE-2024-26009 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-26009?
Check the references section above for vendor advisories and patch information. Affected products include: Fortinet Fortiswitchmanager, Fortinet Fortiproxy, Fortinet Fortipam, Fortinet Fortios.