CVE-2024-33504Use of Hard-coded Cryptographic Key in Fortinet Fortimanager

CWE-321Use of Hard-coded Cryptographic Key4 documents4 sources
Severity
7.7HIGHNVD
CNA4.1
EPSS
0.0%
top 87.44%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Fortinet FortimanagerFortinet Fortimanager Cloud
Timeline
PublishedFeb 11

Description

A use of hard-coded cryptographic key to encrypt sensitive data vulnerability [CWE-321] in FortiManager 7.6.0 through 7.6.1, 7.4.0 through 7.4.5, 7.2.0 through 7.2.9, 7.0 all versions, 6.4 all versions may allow an attacker with JSON API access permissions to decrypt some secrets even if the 'private-data-encryption' setting is enabled.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:NExploitability: 3.1 | Impact: 4.0

Affected Packages3 packages

NVDfortinet/fortimanager6.4.07.2.10+2
NVDfortinet/fortimanager_cloud6.4.17.2.9+1
CVEListV5fortinet/fortimanager7.6.07.6.1+4

🔴Vulnerability Details

2
GHSA
GHSA-6rfg-cmrr-c9j6: A use of hard-coded cryptographic key to encrypt sensitive data vulnerability [CWE-321] in FortiManager 72025-02-11
CVEList
CVE-2024-33504: A use of hard-coded cryptographic key to encrypt sensitive data vulnerability [CWE-321] in FortiManager 72025-02-11

📋Vendor Advisories

1
Fortinet
Use of Hard-coded Cryptographic Key to encrypt sensitive data2025-02-11
CVE-2024-33504 — Use of Hard-coded Cryptographic Key | cvebase