CVE-2024-26006
Published: 14 March 2025
Summary
CVE-2024-26006 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Fortinet Fortios. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 38.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2024-26006 by requiring timely identification, reporting, and patching of the improper input neutralization flaw in the affected FortiOS and FortiProxy web SSL VPN UI.
Prevents XSS exploitation by enforcing output filtering and encoding of untrusted inputs during web page generation in the SSL VPN UI.
Blocks malicious inputs from Samba servers by validating and sanitizing data before processing in the web SSL VPN UI.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes an XSS vulnerability (CWE-79) in the public-facing SSL VPN web UI, directly enabling exploitation of public-facing applications via script injection and execution of JavaScript in the victim's browser context.
NVD Description
An improper neutralization of input during web page Generation vulnerability [CWE-79] in FortiOS version 7.4.3 and below, version 7.2.7 and below, version 7.0.13 and below and FortiProxy version 7.4.3 and below, version 7.2.9 and below, version 7.0.16 and below web…
more
SSL VPN UI may allow a remote unauthenticated attacker to perform a Cross-Site Scripting attack via a malicious samba server.
Deeper analysisAI
CVE-2024-26006 is an improper neutralization of input during web page generation vulnerability (CWE-79), enabling cross-site scripting (XSS) in the web SSL VPN UI of FortiOS versions 7.4.3 and below, 7.2.7 and below, and 7.0.13 and below, as well as FortiProxy versions 7.4.3 and below, 7.2.9 and below, and 7.0.16 and below. Published on 2025-03-14, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H).
A remote unauthenticated attacker can exploit this vulnerability by leveraging a malicious Samba server to inject scripts into the SSL VPN web UI. Exploitation requires high attack complexity and user interaction, such as a victim accessing the VPN portal in a way that triggers interaction with the attacker's controlled Samba server, potentially leading to high-impact confidentiality, integrity, and availability consequences within the user's browser context.
Fortinet's advisory at https://fortiguard.fortinet.com/psirt/FG-IR-23-485 provides details on affected versions and mitigation recommendations. Security practitioners should consult this reference for patching instructions and workarounds.
Details
- CWE(s)