CVE-2024-26009
Published: 12 August 2025
Summary
CVE-2024-26009 is a high-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Fortinet Fortiproxy. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 46.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2024-26009 is an authentication bypass vulnerability (CWE-288) affecting multiple Fortinet products, including FortiOS versions 6.4.0 through 6.4.15, 6.2.0 through 6.2.16, and all versions of 6.0; FortiPAM versions 1.2.0, 1.1.0 through 1.1.2, and 1.0.0 through 1.0.3; FortiProxy versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, and 7.0.0 through 7.0.15; and FortiSwitchManager versions 7.2.0 through 7.2.3 and 7.0.0 through 7.0.3. The vulnerability enables exploitation through crafted FGFM requests and carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
An unauthenticated attacker can exploit this vulnerability by sending crafted FGFM requests to a device managed by FortiManager, provided the attacker knows the FortiManager's serial number. Successful exploitation allows the attacker to seize control of the managed device.
The Fortinet PSIRT advisory provides details on affected versions and mitigation steps at https://fortiguard.fortinet.com/psirt/FG-IR-24-042.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-23305
Vulnerability details
An authentication bypass using an alternate path or channel [CWE-288] vulnerability in Fortinet FortiOS 6.4.0 through 6.4.15, FortiOS 6.2.0 through 6.2.16, FortiOS 6.0 all versions, FortiPAM 1.2.0, FortiPAM 1.1.0 through 1.1.2, FortiPAM 1.0.0 through 1.0.3, FortiProxy 7.4.0 through 7.4.2, FortiProxy…
more
7.2.0 through 7.2.8, FortiProxy 7.0.0 through 7.0.15, FortiSwitchManager 7.2.0 through 7.2.3, FortiSwitchManager 7.0.0 through 7.0.3 allows an unauthenticated attacker to seize control of a managed device via crafted FGFM requests, if the device is managed by a FortiManager, and if the attacker knows that FortiManager's serial number.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authentication bypass via crafted FGFM requests enables remote exploitation of a network-accessible Fortinet management interface/device without credentials, directly matching T1190.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates CVE-2024-26009 by identifying, reporting, and correcting the authentication bypass flaw in FGFM request handling through timely patching.
Prevents remote unauthenticated exploitation by monitoring and controlling FGFM traffic at system boundaries to allow only authorized FortiManager communications.
Blocks crafted FGFM requests exploiting the alternate authentication path by enforcing input validation on management protocol messages.