Cyber Resilience

CVE-2024-21754

Low

Published: 11 June 2024

Published
11 June 2024
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 1.8 CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N
EPSS Score 0.0490 89.8th percentile
Risk Priority 7 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-21754 is a low-severity Use of Password Hash With Insufficient Computational Effort (CWE-916) vulnerability in Fortinet Fortiproxy. Its CVSS base score is 1.8 (Low).

Operationally, ranked in the top 10.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

A use of password hash with insufficient computational effort vulnerability, tracked as CWE-916, affects FortiOS versions 7.4.3 and below along with all versions of 7.2, 7.0, and 6.4, as well as FortiProxy versions 7.4.2 and below along with all versions of 7.2, 7.0, and 2.0. The flaw resides in the handling of backup file encryption and carries a CVSS score of 1.8.

A privileged attacker who already possesses a super-admin profile and CLI access can exploit the weakness to decrypt a backup file. The attack requires local access, high attack complexity, high privileges, and user interaction, limiting its scope to information disclosure without direct impact on integrity or availability.

Fortinet has published advisory FG-IR-23-423 detailing the issue for affected FortiOS and FortiProxy deployments. The EPSS score remains low, with a current value of 0.0490 and a peak of 0.0571.

EU & UK References

Vulnerability details

A use of password hash with insufficient computational effort vulnerability [CWE-916] affecting FortiOS version 7.4.3 and below, 7.2 all versions, 7.0 all versions, 6.4 all versions and FortiProxy version 7.4.2 and below, 7.2 all versions, 7.0 all versions, 2.0 all…

more

versions may allow a privileged attacker with super-admin profile and CLI access to decrypting the backup file.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

fortinet
fortiproxy
2.0.0 — 2.0.14 · 7.0.0 — 7.0.18 · 7.2.0 — 7.2.11
fortinet
fortios
6.4.0 — 6.4.15 · 7.0.0 — 7.0.15 · 7.2.0 — 7.2.9

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-916

Information from security contacts highlights password hashing methods with insufficient computational effort, preventing their adoption.

References