CVE-2024-52968
Published: 11 February 2025
Summary
CVE-2024-52968 is a medium-severity Improper Authentication (CWE-287) vulnerability in Fortinet Forticlient. Its CVSS base score is 6.7 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 7.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the improper authentication flaw in FortiClientMac by identifying, reporting, and applying vendor-recommended patches as per the Fortinet advisory.
Requires secure management of authenticators to prohibit empty or default passwords, directly preventing exploitation of the empty password mechanism.
Enforces least privilege to limit high-privilege (PR:H) access required for local exploitation, reducing the attack surface for privileged users.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local auth bypass via empty password in FortiClientMac enables privilege escalation to full macOS compromise (T1068) and abuse of local accounts with weak/empty credentials (T1078.003).
NVD Description
An improper authentication in Fortinet FortiClientMac 7.0.11 through 7.2.4 allows attacker to gain improper access to MacOS via empty password.
Deeper analysisAI
CVE-2024-52968 is an improper authentication vulnerability (CWE-287) affecting Fortinet FortiClientMac in versions 7.0.11 through 7.2.4. It enables an attacker to gain unauthorized access to macOS by exploiting an empty password mechanism. The vulnerability carries a CVSS v3.1 base score of 6.7 (AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating medium severity with high impacts on confidentiality, integrity, and availability.
Exploitation requires local access to the system and high privileges (PR:H), such as those held by an administrator or privileged user. A successful attack allows the adversary to bypass authentication controls, potentially leading to full compromise of the macOS environment through improper access granted via the empty password flaw. No user interaction is needed, and the low attack complexity makes it feasible for a privileged local attacker.
Fortinet's advisory (FG-IR-24-300) at https://fortiguard.fortinet.com/psirt/FG-IR-24-300 provides details on mitigation, including recommended patches and workarounds for affected FortiClientMac versions. Security practitioners should consult this reference for version-specific remediation steps.
Details
- CWE(s)