CVE-2024-21757 — Unverified Password Change in Fortinet Fortianalyzer

CWE-620 — Unverified Password Change4 documents4 sources

Severity

7.8HIGHNVD

CNA6.1

EPSS

0.1%

top 65.65%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortianalyzer Fortinet Fortimanager

Timeline

PublishedAug 13

Description

A unverified password change in Fortinet FortiManager versions 7.0.0 through 7.0.10, versions 7.2.0 through 7.2.4, and versions 7.4.0 through 7.4.1, as well as Fortinet FortiAnalyzer versions 7.0.0 through 7.0.10, versions 7.2.0 through 7.2.4, and versions 7.4.0 through 7.4.1, allows an attacker to modify admin passwords via the device configuration backup.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages4 packages

▶NVDfortinet/fortimanager7.0.0 — 7.0.11+2

▶NVDfortinet/fortianalyzer7.0.0 — 7.0.11+2

▶CVEListV5fortinet/fortimanager7.4.0 — 7.4.1+2

▶CVEListV5fortinet/fortianalyzer7.4.0 — 7.4.1+2

🔴Vulnerability Details

CVEList

CVE-2024-21757: A unverified password change in Fortinet FortiManager versions 7↗2024-08-13

▶

GHSA

GHSA-q5q5-qr9g-74ch: A unverified password change in Fortinet FortiManager versions 7↗2024-08-13

▶

📋Vendor Advisories

Fortinet

Priviledged admin able to modify super-admins password↗2024-08-13

▶