cbcvebase.
CVE-2024-21754
published 2024-06-11

CVE-2024-21754: A use of password hash with insufficient computational effort vulnerability [CWE-916] affecting FortiOS version 7.4.3 and below, 7.2 all versions, 7.0 all…

PriorityP278medium4.4CVSS 3.1
AVLACLPRHUINSUCHINAN
ITWVulnCheck KEV
Exploited in the wild
EPSS
3.47%
87.6th percentile
A use of password hash with insufficient computational effort vulnerability [CWE-916] affecting FortiOS version 7.4.3 and below, 7.2 all versions, 7.0 all versions, 6.4 all versions and FortiProxy version 7.4.2 and below, 7.2 all versions, 7.0 all versions, 2.0 all versions may allow a privileged attacker with super-admin profile and CLI access to decrypting the backup file.

Affected

13 ranges
VendorProductVersion rangeFixed in
fortinetfortios
fortinetfortios6.4.0 – 6.4.15
fortinetfortios7.0.0 – 7.0.15
fortinetfortios>= 7.2.0 < 7.2.97.2.9
fortinetfortios7.2.0 – 7.2.8
fortinetfortios>= 7.4.0 < 7.4.47.4.4
fortinetfortios7.4.0 – 7.4.3
fortinetfortiproxy
fortinetfortiproxy2.0.0 – 2.0.14
fortinetfortiproxy7.0.0 – 7.0.18
fortinetfortiproxy7.2.0 – 7.2.11
fortinetfortiproxy>= 7.4.0 < 7.4.37.4.3
fortinetfortiproxy7.4.0 – 7.4.2

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability requires a privileged attacker with super-admin profile AND CLI access to exploit — detection should focus on super-admin CLI sessions performing backup/decrypt operations on FortiOS/FortiProxy devices
  • Scope is limited to local access (AV:L) with high privilege required (PR:H) and user interaction (UI:R) — CVSS vector confirms no remote exploitation path; focus monitoring on local/console CLI sessions
  • ·Affected FortiOS versions: 7.4.3 and below, all 7.2.x, all 7.0.x, all 6.4.x — upgrade to a fixed version to remediate weak key derivation for backup files
  • ·Affected FortiProxy versions: 7.4.2 and below, all 7.2.x, all 7.0.x, all 2.0.x — upgrade to a fixed version to remediate weak key derivation for backup files
  • ·The vulnerability is classified as CWE-916 (Use of Password Hash With Insufficient Computational Effort), meaning backup files encrypted by affected versions use a weak key derivation function and may be decryptable offline by an attacker who obtains the backup
  • ·Siemens RUGGEDCOM APE1808 devices running Fortinet NGFW are also affected by this vulnerability across all versions

CVSS provenance

nvdv3.14.4MEDIUMCVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
vulncheck1.8LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.