CVE-2024-50568 — Channel Accessible by Non-Endpoint in Fortinet Fortios

CWE-300 — Channel Accessible by Non-Endpoint4 documents4 sources

Severity

5.9MEDIUMNVD

EPSS

0.1%

top 84.77%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortios Fortinet Fortiproxy

Timeline

PublishedJun 10

Description

A channel accessible by non-endpoint vulnerability [CWE-300] in Fortinet FortiOS version 7.4.0 through 7.4.3, 7.2.0 through 7.2.7 and before 7.0.14 & FortiProxy version 7.4.0 through 7.4.3, 7.2.0 through 7.2.9 and before 7.0.16 allows an unauthenticated attacker with the knowledge of device specific data to spoof the identity of a downstream device of the security fabric via crafted TCP requests.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages4 packages

▶NVDfortinet/fortios6.4.2 — 7.2.9+1

▶NVDfortinet/fortiproxy7.0.0 — 7.0.17+2

▶CVEListV5fortinet/fortios7.4.0 — 7.4.3+3

▶CVEListV5fortinet/fortiproxy7.4.0 — 7.4.3+2

🔴Vulnerability Details

CVEList

CVE-2024-50568: A channel accessible by non-endpoint vulnerability [CWE-300] in Fortinet FortiOS version 7↗2025-06-10

▶

GHSA

GHSA-q6xx-gv82-hc4m: A channel accessible by non-endpoint vulnerability [CWE-300] in Fortinet FortiOS version 7↗2025-06-10

▶

📋Vendor Advisories

Fortinet

Weak authentication in security fabric daemon↗2025-06-10

▶