Several Fortinet security products, including FortiOS, FortiProxy, and FortiPAM, are affected by a high-severity authentication evasion vulnerability. The flaw, tracked as CVE-2024-26009, has a CVSS score of 7.9 and allows unauthenticated attackers to take complete control of managed devices by exploiting the FortiGate-to-FortiManager (FGFM) communication protocol.
The key prerequisite for successful exploitation of this security flaw is the attacker’s knowledge of the target FortiManager serial number, which serves as a key authentication component in the compromised protocol implementation.
The bug is classified as CWE-288 (Authentication Bypass Using an Alternate Path or Channel). Attackers can exploit this weakness by crafting malicious FGFM requests to target devices managed by FortiManager systems.
The culprit is the FGFM protocol, designed for secure communication between FortiGate devices and central management systems. It contains a critical authentication flaw that allows the execution of unauthorized commands. This vulnerability affects legacy versions of multiple product lines, specifically FortiOS versions 6.0 through 6.4.15 and 6.2.0 through 6.2.16.
FortiProxy installations running versions 7.0.0 through 7.0.15, 7.2.0 through 7.2.8, and 7.4.0 through 7.4.2 are also at risk.
The potential impact is severe, as successful exploitation grants attackers the ability to execute unauthorized code or commands on compromised systems, effectively providing administrative-level access to critical network infrastructure components.
Security researchers from Fortinet’s internal product security team, led by Théo Leleu, discovered this vulnerability during routine security assessments.
Organizations using the affected versions should prioritize immediate patching. Fortinet recommends updating FortiOS 6.4 installations to version 6.4.16 or later, while FortiOS 6.2 users should update to version 6.2.17 or later.
FortiProxy users should upgrade to versions 7.0.16, 7.2.9, or 7.4.3, depending on their current installation.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
