CVE-2024-33504

Medium

Published: 11 February 2025

Published

11 February 2025

Modified

24 July 2025

KEV Added

—

Patch

—

CVSS Score 4.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N

EPSS Score 0.0004 12.7th percentile

Risk Priority 8 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-33504 is a medium-severity Use of Hard-coded Cryptographic Key (CWE-321) vulnerability in Fortinet Fortimanager. Its CVSS base score is 4.1 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Credential Access (T1212); ranked at the 12.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-12 (Cryptographic Key Establishment and Management) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Credential Access (T1212) and 3 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Timely flaw remediation through vendor patching directly eliminates the hard-coded cryptographic key vulnerability in FortiManager.

SC-12 Cryptographic Key Establishment and Management good match

prevent

Proper cryptographic key establishment and management prevents the use of hard-coded keys for encrypting sensitive data.

AC-6 Least Privilege partial match

prevent

Least privilege enforcement limits JSON API access permissions required for an attacker to exploit the hard-coded key and decrypt secrets.

MITRE ATT&CK Enterprise TechniquesAI

T1212 Exploitation for Credential Access Credential Access

Adversaries may exploit software vulnerabilities in an attempt to collect credentials.

attack.mitre.org →

T1552 Unsecured Credentials Credential Access

Adversaries may search compromised systems to find and obtain insecurely stored credentials.

attack.mitre.org →

T1552.001 Credentials In Files Credential Access

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.

attack.mitre.org →

T1033 System Owner/User Discovery Discovery

Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system.

attack.mitre.org →

Why these techniques?

The vulnerability uses a hardcoded cryptographic key allowing attackers with JSON API access to decrypt sensitive passwords (T1552, T1081) and leak adjacent memory containing usernames/ADOM data (T1033), via exploitation for credential access (T1212).

NVD Description

A use of hard-coded cryptographic key to encrypt sensitive data vulnerability [CWE-321] in FortiManager 7.6.0 through 7.6.1, 7.4.0 through 7.4.5, 7.2.0 through 7.2.9, 7.0 all versions, 6.4 all versions may allow an attacker with JSON API access permissions to decrypt…

some secrets even if the 'private-data-encryption' setting is enabled.

Deeper analysisAI

CVE-2024-33504 is a use of hard-coded cryptographic key vulnerability (CWE-321) affecting FortiManager versions 7.6.0 through 7.6.1, 7.4.0 through 7.4.5, 7.2.0 through 7.2.9, all versions of 7.0, and all versions of 6.4. The flaw enables decryption of some secrets even when the 'private-data-encryption' setting is enabled. It carries a CVSS v3.1 base score of 4.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N), indicating network accessibility, low attack complexity, high privileges required, no user interaction, changed scope, low confidentiality impact, and no integrity or availability effects.

Exploitation requires an attacker to possess JSON API access permissions on the affected FortiManager instance. With network access and these elevated privileges, the attacker can decrypt sensitive secrets protected by the hard-coded key, potentially exposing configuration data or other confidential information stored in the system.

Mitigation guidance is available in the Fortinet PSIRT advisory at https://fortiguard.fortinet.com/psirt/FG-IR-24-094 and the Orange Cyberdefense security advisory at https://github.com/orangecertcc/security-research/security/advisories/GHSA-pgc3-m5p5-4vc3.

Details

CWE(s): CWE-321

Affected Products

fortinet

fortimanager

6.4.0 — 7.2.10 · 7.4.0 — 7.4.6 · 7.6.0 — 7.6.2

fortinet

fortimanager cloud

6.4.1 — 7.2.9 · 7.4.1 — 7.4.6

CVEs Like This One

CVE-2024-35277Same product: Fortinet Fortimanager

CVE-2024-46662Same product: Fortinet Fortimanager

CVE-2024-50566Same product: Fortinet Fortimanager

CVE-2026-22572Same product: Fortinet Fortimanager

CVE-2024-54027Same vendor: Fortinet

CVE-2024-35275Same product: Fortinet Fortimanager

CVE-2024-47571Same product: Fortinet Fortimanager

CVE-2024-45331Same product: Fortinet Fortimanager

CVE-2025-68648Same product: Fortinet Fortimanager

CVE-2025-54820Same product: Fortinet Fortimanager

References

https://fortiguard.fortinet.com/psirt/FG-IR-24-094
Vendor Advisory · psirt@fortinet.com
https://github.com/orangecertcc/security-research/security/advisories/GHSA-pgc3-m5p5-4vc3
Third Party Advisory · psirt@fortinet.com