Cyber Resilience

CVE-2024-35277

High

Published: 14 January 2025

Published
14 January 2025
Modified
31 January 2025
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.0027 50.7th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-35277 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Fortinet Fortimanager. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 49.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2024-35277 is a missing authentication vulnerability (CWE-306) in Fortinet FortiPortal versions 6.0.0 through 6.0.15 and FortiManager versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, and 6.4.0 through 6.4.14. The flaw stems from a lack of authentication for a critical function, enabling attackers to access configurations of managed devices by sending specifically crafted packets. It carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N), indicating high severity due to network accessibility, low complexity, no privileges or user interaction required, and scoped high-impact confidentiality loss.

A remote, unauthenticated attacker can exploit this vulnerability by transmitting crafted packets to an affected instance exposed over the network. Exploitation requires no privileges or user interaction, allowing the attacker to retrieve sensitive configuration data from devices managed by FortiPortal or FortiManager. This could reveal network topologies, credentials, policies, and other proprietary information, facilitating further attacks like lateral movement or reconnaissance.

The Fortinet PSIRT advisory provides details on mitigation and patching; refer to https://fortiguard.fortinet.com/psirt/FG-IR-24-135 for affected versions, workarounds, and upgrade guidance.

EU & UK References

Vulnerability details

A missing authentication for critical function in Fortinet FortiPortal version 6.0.0 through 6.0.15, FortiManager version 7.4.0 through 7.4.2, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14 allows attacker to access to the configuration of the managed devices by sending…

more

specifically crafted packets

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Missing authentication in a network-exposed management interface (FortiManager/FortiPortal) directly enables remote exploitation of a public-facing application to retrieve sensitive device configurations without credentials.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-50566Same product: Fortinet Fortimanager
CVE-2024-35276Same product: Fortinet Fortimanager
CVE-2024-46662Same product: Fortinet Fortimanager
CVE-2025-61848Same product: Fortinet Fortimanager
CVE-2024-47571Same product: Fortinet Fortimanager
CVE-2025-53847Same vendor: Fortinet
CVE-2024-33504Same product: Fortinet Fortimanager
CVE-2025-54820Same product: Fortinet Fortimanager
CVE-2026-22572Same product: Fortinet Fortimanager
CVE-2024-40584Same product: Fortinet Fortimanager

Affected Assets

fortinet
fortimanager
6.4.0 — 6.4.15 · 7.0.0 — 7.0.13 · 7.2.0 — 7.2.6
fortinet
fortimanager cloud
7.0.1 — 7.0.13 · 7.2.1 — 7.2.7 · 7.4.1 — 7.4.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires authorization and documentation for any actions performed without identification or authentication, mitigating the missing authentication for critical configuration access functions.

prevent

Enforces approved logical access authorizations, preventing unauthenticated attackers from accessing managed device configurations via crafted packets.

prevent

Requires timely flaw remediation including patching the specific missing authentication vulnerability in affected Fortinet products.

References