Cyber Resilience

CVE-2024-26009

High

Published: 12 August 2025

Published
12 August 2025
Modified
20 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0029 53.1th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-26009 is a high-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Fortinet Fortiproxy. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 46.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-26009 is an authentication bypass vulnerability (CWE-288) affecting multiple Fortinet products, including FortiOS versions 6.4.0 through 6.4.15, 6.2.0 through 6.2.16, and all versions of 6.0; FortiPAM versions 1.2.0, 1.1.0 through 1.1.2, and 1.0.0 through 1.0.3; FortiProxy versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, and 7.0.0 through 7.0.15; and FortiSwitchManager versions 7.2.0 through 7.2.3 and 7.0.0 through 7.0.3. The vulnerability enables exploitation through crafted FGFM requests and carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

An unauthenticated attacker can exploit this vulnerability by sending crafted FGFM requests to a device managed by FortiManager, provided the attacker knows the FortiManager's serial number. Successful exploitation allows the attacker to seize control of the managed device.

The Fortinet PSIRT advisory provides details on affected versions and mitigation steps at https://fortiguard.fortinet.com/psirt/FG-IR-24-042.

EU & UK References

Vulnerability details

An authentication bypass using an alternate path or channel [CWE-288] vulnerability in Fortinet FortiOS 6.4.0 through 6.4.15, FortiOS 6.2.0 through 6.2.16, FortiOS 6.0 all versions, FortiPAM 1.2.0, FortiPAM 1.1.0 through 1.1.2, FortiPAM 1.0.0 through 1.0.3, FortiProxy 7.4.0 through 7.4.2, FortiProxy…

more

7.2.0 through 7.2.8, FortiProxy 7.0.0 through 7.0.15, FortiSwitchManager 7.2.0 through 7.2.3, FortiSwitchManager 7.0.0 through 7.0.3 allows an unauthenticated attacker to seize control of a managed device via crafted FGFM requests, if the device is managed by a FortiManager, and if the attacker knows that FortiManager's serial number.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Authentication bypass via crafted FGFM requests enables remote exploitation of a network-accessible Fortinet management interface/device without credentials, directly matching T1190.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-24472Same product: Fortinet Fortios
CVE-2024-55591Same product: Fortinet Fortios
CVE-2024-45324Same product: Fortinet Fortios
CVE-2025-59718Same product: Fortinet Fortios
CVE-2025-25249Same product: Fortinet Fortios
CVE-2026-24858Same product: Fortinet Fortios
CVE-2024-35279Same product: Fortinet Fortios
CVE-2025-53847Same product: Fortinet Fortios
CVE-2024-26006Same product: Fortinet Fortios
CVE-2026-22153Same product: Fortinet Fortios

Affected Assets

fortinet
fortiswitchmanager
7.0.0 — 7.0.4 · 7.2.0 — 7.2.4
fortinet
fortiproxy
7.0.0 — 7.0.16 · 7.2.0 — 7.2.9 · 7.4.0 — 7.4.3
fortinet
fortipam
1.0.0 — 1.2.0
fortinet
fortios
6.0.0 — 6.2.17 · 6.4.0 — 6.4.16

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates CVE-2024-26009 by identifying, reporting, and correcting the authentication bypass flaw in FGFM request handling through timely patching.

prevent

Prevents remote unauthenticated exploitation by monitoring and controlling FGFM traffic at system boundaries to allow only authorized FortiManager communications.

prevent

Blocks crafted FGFM requests exploiting the alternate authentication path by enforcing input validation on management protocol messages.

References