Cyber Resilience

CVE-2024-50565

Low

Published: 08 April 2025

Published
08 April 2025
Modified
25 July 2025
KEV Added
Patch
CVSS Score v3.1 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
EPSS Score 0.0023 45.8th percentile
Risk Priority 6 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-50565 is a low-severity Channel Accessible by Non-Endpoint (CWE-300) vulnerability in Fortinet Fortimanager. Its CVSS base score is 3.1 (Low).

Operationally, ranked at the 45.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

A improper restriction of communication channel to intended endpoints vulnerability [CWE-923] in Fortinet FortiOS version 7.4.0 through 7.4.3, 7.2.0 through 7.2.7, 7.0.0 through 7.0.14, 6.4.0 through 6.4.15 and 6.2.0 through 6.2.16, Fortinet FortiProxy version 7.4.0 through 7.4.2, 7.2.0 through 7.2.9,…

more

7.0.0 through 7.0.15 and 2.0.0 through 2.0.14, Fortinet FortiManager version 7.4.0 through 7.4.2, 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.14 and 6.2.0 through 6.2.13, Fortinet FortiAnalyzer version 7.4.0 through 7.4.2, 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.14 and 6.2.0 through 6.2.13, Fortinet FortiVoice version 7.0.0 through 7.0.2, 6.4.0 through 6.4.8 and 6.0.0 through 6.0.12 and Fortinet FortiWeb version 7.4.0 through 7.4.2, 7.2.0 through 7.2.10, 7.0.0 through 7.0.10 allows an unauthenticated attacker in a man-in-the-middle position to impersonate the management device (FortiCloud server or/and in certain conditions, FortiManager), via intercepting the FGFM authentication request between the management device and the managed device

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

fortinet
fortiweb
7.4.0 — 7.4.3
fortinet
fortivoice
6.0.0 — 6.4.9 · 7.0.0 — 7.0.3
fortinet
fortiproxy
2.0.0 — 7.0.16 · 7.2.0 — 7.2.10 · 7.4.0 — 7.4.3
fortinet
fortios
6.4.0 — 7.0.16 · 7.2.0 — 7.2.9 · 7.4.0 — 7.4.5
fortinet
fortimanager
6.2.0 — 6.2.14 · 6.4.0 — 6.4.15 · 7.0.0 — 7.0.12
fortinet
fortianalyzer
6.2.0 — 6.2.14 · 6.4.0 — 6.4.15 · 7.0.0 — 7.0.12

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-300

Ensures only authenticated endpoints can access the communication channel, blocking unauthorized non-endpoint access.

addresses: CWE-300

Physically restricts transmission channels so they cannot be accessed or tapped by non-endpoint actors within facilities.

addresses: CWE-300

Periodic TSCM surveys identify unauthorized access points or taps that make communication channels reachable by non-endpoint adversaries.

addresses: CWE-300

Explicitly isolates the communications path so it cannot be accessed or intercepted by non-endpoint entities during security functions.

addresses: CWE-300

Restrictions and channel controls reduce the chance that VoIP media or signaling streams remain accessible to non-participants.

addresses: CWE-300

Directly prevents non-endpoint access or interception of the session communication path.

addresses: CWE-300

An out-of-band channel is inaccessible to non-endpoints that can observe or interfere with the primary communication channel.

addresses: CWE-300

The control restricts an inherently broadcast wireless channel to only intended endpoints, mitigating accessibility by non-endpoints.

References