CVE-2024-35277
Published: 14 January 2025
Summary
CVE-2024-35277 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Fortinet Fortimanager. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 49.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2024-35277 is a missing authentication vulnerability (CWE-306) in Fortinet FortiPortal versions 6.0.0 through 6.0.15 and FortiManager versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, and 6.4.0 through 6.4.14. The flaw stems from a lack of authentication for a critical function, enabling attackers to access configurations of managed devices by sending specifically crafted packets. It carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N), indicating high severity due to network accessibility, low complexity, no privileges or user interaction required, and scoped high-impact confidentiality loss.
A remote, unauthenticated attacker can exploit this vulnerability by transmitting crafted packets to an affected instance exposed over the network. Exploitation requires no privileges or user interaction, allowing the attacker to retrieve sensitive configuration data from devices managed by FortiPortal or FortiManager. This could reveal network topologies, credentials, policies, and other proprietary information, facilitating further attacks like lateral movement or reconnaissance.
The Fortinet PSIRT advisory provides details on mitigation and patching; refer to https://fortiguard.fortinet.com/psirt/FG-IR-24-135 for affected versions, workarounds, and upgrade guidance.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-35543
Vulnerability details
A missing authentication for critical function in Fortinet FortiPortal version 6.0.0 through 6.0.15, FortiManager version 7.4.0 through 7.4.2, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14 allows attacker to access to the configuration of the managed devices by sending…
more
specifically crafted packets
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authentication in a network-exposed management interface (FortiManager/FortiPortal) directly enables remote exploitation of a public-facing application to retrieve sensitive device configurations without credentials.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires authorization and documentation for any actions performed without identification or authentication, mitigating the missing authentication for critical configuration access functions.
Enforces approved logical access authorizations, preventing unauthenticated attackers from accessing managed device configurations via crafted packets.
Requires timely flaw remediation including patching the specific missing authentication vulnerability in affected Fortinet products.