CVE-2024-35277
Published: 14 January 2025
Summary
CVE-2024-35277 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Fortinet Fortimanager. Its CVSS base score is 8.6 (High).
Operationally, ranked at the 41.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires authorization and documentation for any actions performed without identification or authentication, mitigating the missing authentication for critical configuration access functions.
Enforces approved logical access authorizations, preventing unauthenticated attackers from accessing managed device configurations via crafted packets.
Requires timely flaw remediation including patching the specific missing authentication vulnerability in affected Fortinet products.
NVD Description
A missing authentication for critical function in Fortinet FortiPortal version 6.0.0 through 6.0.15, FortiManager version 7.4.0 through 7.4.2, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14 allows attacker to access to the configuration of the managed devices by sending…
more
specifically crafted packets
Deeper analysisAI
CVE-2024-35277 is a missing authentication vulnerability (CWE-306) in Fortinet FortiPortal versions 6.0.0 through 6.0.15 and FortiManager versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, and 6.4.0 through 6.4.14. The flaw stems from a lack of authentication for a critical function, enabling attackers to access configurations of managed devices by sending specifically crafted packets. It carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N), indicating high severity due to network accessibility, low complexity, no privileges or user interaction required, and scoped high-impact confidentiality loss.
A remote, unauthenticated attacker can exploit this vulnerability by transmitting crafted packets to an affected instance exposed over the network. Exploitation requires no privileges or user interaction, allowing the attacker to retrieve sensitive configuration data from devices managed by FortiPortal or FortiManager. This could reveal network topologies, credentials, policies, and other proprietary information, facilitating further attacks like lateral movement or reconnaissance.
The Fortinet PSIRT advisory provides details on mitigation and patching; refer to https://fortiguard.fortinet.com/psirt/FG-IR-24-135 for affected versions, workarounds, and upgrade guidance.
Details
- CWE(s)