Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-52965

A missing critical step in authentication vulnerability [CWE-304] in Fortinet FortiOS version 7.6.0 through 7.6.1, 7.4.0 through 7.4.5, 7.2.0 through 7.2.10, and before 7.0.16 & FortiProxy version 7.6.0 through 7.6.1, 7.4.0 through 7.4.8, 7.2.0 through 7.2.13 and before 7.0.20 allows an API-user using api-key + PKI user certificate authentication to login even if the certificate is invalid.

Published

2025-07-08T15:15:22.313

Last Modified

2025-07-22T17:25:57.280

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 7.2 (HIGH)

Weaknesses

Type: Primary
CWE-304
Type: Primary
NVD-CWE-Other

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	fortinet	fortiproxy	< 7.0.21	Yes
Application	fortinet	fortiproxy	< 7.2.14	Yes
Application	fortinet	fortiproxy	< 7.4.9	Yes
Application	fortinet	fortiproxy	< 7.6.2	Yes
Operating System	fortinet	fortios	< 7.0.17	Yes
Operating System	fortinet	fortios	< 7.2.11	Yes
Operating System	fortinet	fortios	< 7.4.6	Yes
Operating System	fortinet	fortios	7.6.0	Yes
Operating System	fortinet	fortios	7.6.1	Yes

References

https://fortiguard.fortinet.com/psirt/FG-IR-24-511 Vendor Advisory ([email protected])