Cyber Posture

CVE-2024-26009

High

Published: 12 August 2025

Published
12 August 2025
Modified
20 April 2026
KEV Added
Patch
CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0013 32.0th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-26009 is a high-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Fortinet Fortiproxy. Its CVSS base score is 8.1 (High).

Operationally, ranked at the 32.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates CVE-2024-26009 by identifying, reporting, and correcting the authentication bypass flaw in FGFM request handling through timely patching.

SC-7 Boundary Protection good match
prevent

Prevents remote unauthenticated exploitation by monitoring and controlling FGFM traffic at system boundaries to allow only authorized FortiManager communications.

SI-10 Information Input Validation good match
prevent

Blocks crafted FGFM requests exploiting the alternate authentication path by enforcing input validation on management protocol messages.

NVD Description

An authentication bypass using an alternate path or channel [CWE-288] vulnerability in Fortinet FortiOS 6.4.0 through 6.4.15, FortiOS 6.2.0 through 6.2.16, FortiOS 6.0 all versions, FortiPAM 1.2.0, FortiPAM 1.1.0 through 1.1.2, FortiPAM 1.0.0 through 1.0.3, FortiProxy 7.4.0 through 7.4.2, FortiProxy…

more

7.2.0 through 7.2.8, FortiProxy 7.0.0 through 7.0.15, FortiSwitchManager 7.2.0 through 7.2.3, FortiSwitchManager 7.0.0 through 7.0.3 allows an unauthenticated attacker to seize control of a managed device via crafted FGFM requests, if the device is managed by a FortiManager, and if the attacker knows that FortiManager's serial number.

Deeper analysisAI

CVE-2024-26009 is an authentication bypass vulnerability (CWE-288) affecting multiple Fortinet products, including FortiOS versions 6.4.0 through 6.4.15, 6.2.0 through 6.2.16, and all versions of 6.0; FortiPAM versions 1.2.0, 1.1.0 through 1.1.2, and 1.0.0 through 1.0.3; FortiProxy versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, and 7.0.0 through 7.0.15; and FortiSwitchManager versions 7.2.0 through 7.2.3 and 7.0.0 through 7.0.3. The vulnerability enables exploitation through crafted FGFM requests and carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

An unauthenticated attacker can exploit this vulnerability by sending crafted FGFM requests to a device managed by FortiManager, provided the attacker knows the FortiManager's serial number. Successful exploitation allows the attacker to seize control of the managed device.

The Fortinet PSIRT advisory provides details on affected versions and mitigation steps at https://fortiguard.fortinet.com/psirt/FG-IR-24-042.

Details

CWE(s)
CWE-288

Affected Products

fortinet
fortiswitchmanager
7.0.0 — 7.0.4 · 7.2.0 — 7.2.4
fortinet
fortiproxy
7.0.0 — 7.0.16 · 7.2.0 — 7.2.9 · 7.4.0 — 7.4.3
fortinet
fortipam
1.0.0 — 1.2.0
fortinet
fortios
6.0.0 — 6.2.17 · 6.4.0 — 6.4.16

CVEs Like This One

CVE-2025-24472Same product: Fortinet Fortios
CVE-2024-55591Same product: Fortinet Fortios
CVE-2026-24858Same product: Fortinet Fortios
CVE-2025-59718Same product: Fortinet Fortios
CVE-2024-26006Same product: Fortinet Fortios
CVE-2024-45324Same product: Fortinet Fortios
CVE-2025-25249Same product: Fortinet Fortios
CVE-2026-22153Same product: Fortinet Fortios
CVE-2025-64157Same product: Fortinet Fortios
CVE-2024-40591Same product: Fortinet Fortios

References