Exploited
high
7.5
CWE
923
Advisory Published
CVE Published
Updated
Advisory Published

CVE-2024-26013: No certificate name verification for fgfm connection

First published: Tue Apr 08 2025(Updated: )

A improper restriction of communication channel to intended endpoints vulnerability [CWE-923] in Fortinet FortiOS version 7.4.0 through 7.4.4, 7.2.0 through 7.2.8, 7.0.0 through 7.0.15, 6.4.0 through 6.4.15 and before 6.2.16, Fortinet FortiProxy version 7.4.0 through 7.4.2, 7.2.0 through 7.2.9 and before 7.0.15, Fortinet FortiManager version 7.4.0 through 7.4.2, 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.14 and before 6.2.13, Fortinet FortiAnalyzer version 7.4.0 through 7.4.2, 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.14 and before 6.2.13, Fortinet FortiVoice version 7.0.0 through 7.0.2 before 6.4.8 and Fortinet FortiWeb before 7.4.2 may allow an unauthenticated attacker in a man-in-the-middle position to impersonate the management device (FortiCloud server or/and in certain conditions, FortiManager), via intercepting the FGFM authentication request between the management device and the managed device

Credit: psirt@fortinet.com

Affected SoftwareAffected VersionHow to fix
Fortinet FortiAnalyzer>=7.4.0<=7.4.2
Fortinet FortiAnalyzer>=7.2.0<=7.2.4
Fortinet FortiAnalyzer>=7.0.0<=7.0.11
Fortinet FortiAnalyzer>=6.4.0<=6.4.14
Fortinet FortiAnalyzer>=6.2.0<=6.2.13
Fortinet FortiManager>=7.4.0<=7.4.2
Fortinet FortiManager>=7.2.0<=7.2.4
Fortinet FortiManager>=7.0.0<=7.0.11
Fortinet FortiManager>=6.4.0<=6.4.14
Fortinet FortiManager>=6.2.0<=6.2.13
FortiOS>=7.4.0<=7.4.4
FortiOS>=7.2.0<=7.2.8
FortiOS>=7.0.0<=7.0.15
FortiOS>=6.4
FortiOS>=6.2.0<=6.2.16
Fortinet FortiProxy SSL VPN webmode>=7.4.0<=7.4.2
Fortinet FortiProxy SSL VPN webmode>=7.2.0<=7.2.9
Fortinet FortiProxy SSL VPN webmode>=7.0.0<=7.0.15
Fortinet FortiProxy SSL VPN webmode>=2.0
Fortinet FortiVoice Enterprise>=7.0.0<=7.0.2
Fortinet FortiVoice Enterprise>=6.4.0<=6.4.8
Fortinet FortiVoice Enterprise>=6.0
Fortinet FortiWeb>=7.4.0<=7.4.2
Fortinet FortiWeb>=7.2
Fortinet FortiWeb>=7.0

Remedy

Please upgrade to FortiProxy version 7.4.3 or above Please upgrade to FortiProxy version 7.2.10 or above Please upgrade to FortiProxy version 7.0.16 or above Please upgrade to FortiOS version 7.6.0 or above Please upgrade to FortiOS version 7.4.5 or above Please upgrade to FortiOS version 7.2.9 or above Please upgrade to FortiOS version 7.0.16 or above Please upgrade to FortiOS version 6.2.17 or above Please upgrade to FortiVoice version 7.2.0 or above Please upgrade to FortiVoice version 7.0.3 or above Please upgrade to FortiVoice version 6.4.9 or above Please upgrade to FortiSASE version 23.1 or above Please upgrade to FortiManager version 7.4.3 or above Please upgrade to FortiManager version 7.2.5 or above Please upgrade to FortiManager version 7.0.12 or above Please upgrade to FortiManager version 6.4.15 or above Please upgrade to FortiManager version 6.2.14 or above Please upgrade to FortiWeb version 7.6.0 or above Please upgrade to FortiWeb version 7.4.3 or above Please upgrade to FortiAnalyzer version 7.4.3 or above Please upgrade to FortiAnalyzer version 7.2.5 or above Please upgrade to FortiAnalyzer version 7.0.12 or above Please upgrade to FortiAnalyzer version 6.4.15 or above Please upgrade to FortiAnalyzer version 6.2.14 or above Please upgrade to FortiGate Cloud version 24.5 or above

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Peer vulnerabilities

(Found alongside the following vulnerabilities)

Frequently Asked Questions

  • What is the severity of CVE-2024-26013?

    CVE-2024-26013 has a high severity due to its exploitation potential affecting multiple Fortinet products.

  • How do I fix CVE-2024-26013?

    To mitigate CVE-2024-26013, update to the latest versions of affected FortiOS, FortiAnalyzer, FortiManager, FortiProxy, and FortiVoice products as specified in the advisory.

  • Which Fortinet products are affected by CVE-2024-26013?

    CVE-2024-26013 affects Fortinet FortiOS, FortiAnalyzer, FortiManager, FortiProxy, and FortiVoice across several versions.

  • What types of vulnerabilities does CVE-2024-26013 represent?

    CVE-2024-26013 represents an improper restriction of communication channel to intended endpoints vulnerability, classified under CWE-923.

  • Is there a workaround for CVE-2024-26013 until I can apply updates?

    No specific workarounds are provided for CVE-2024-26013, and it is recommended to update to the patched versions as soon as possible.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203