CVE-2024-26013 — Improper Restriction of Communication Channel to Intended Endpoints in Fortinet Fortianalyzer

CWE-923 — Improper Restriction of Communication Channel to Intended Endpoints CWE-300 — Channel Accessible by Non-Endpoint4 documents4 sources

Severity

7.5HIGHNVD

EPSS

0.1%

top 64.70%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortianalyzer Fortinet Fortimanager Fortinet Fortios +3 more

Timeline

PublishedApr 8

Description

A improper restriction of communication channel to intended endpoints vulnerability [CWE-923] in Fortinet FortiOS version 7.4.0 through 7.4.4, 7.2.0 through 7.2.8, 7.0.0 through 7.0.15, 6.4.0 through 6.4.15 and before 6.2.16, Fortinet FortiProxy version 7.4.0 through 7.4.2, 7.2.0 through 7.2.9 and before 7.0.15, Fortinet FortiManager version 7.4.0 through 7.4.2, 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.14 and before 6.2.13, Fortinet FortiAnalyzer version 7.4.0 through 7.4.2, …

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages9 packages

▶NVDfortinet/fortimanager6.2.0 — 6.2.14+4

▶CVEListV5fortinet/fortimanager7.4.0 — 7.4.2+4

▶NVDfortinet/fortios6.4.0 — 7.0.16+2

▶NVDfortinet/fortiweb7.4.0 — 7.4.3

▶NVDfortinet/fortiproxy2.0.0 — 7.0.16+2

🔴Vulnerability Details

CVEList

CVE-2024-26013: A improper restriction of communication channel to intended endpoints vulnerability [CWE-923] in Fortinet FortiOS version 7↗2025-04-08

▶

GHSA

GHSA-m9g2-wm3w-q6rv: A improper restriction of communication channel to intended endpoints vulnerability [CWE-923] in Fortinet FortiOS version 7↗2025-04-08

▶

📋Vendor Advisories

Fortinet

No certificate name verification for fgfm connection↗2025-04-08

▶