FortiOS/Proxy/Manager CVE-2024-26013: Improper Channel Restriction (CWE-923)
CVE-2024-26013 Published on April 8, 2025
A improper restriction of communication channel to intended endpoints vulnerability [CWE-923] in Fortinet FortiOS version 7.4.0 through 7.4.4, 7.2.0 through 7.2.8, 7.0.0 through 7.0.15, 6.4.0 through 6.4.15 and before 6.2.16, Fortinet FortiProxy version 7.4.0 through 7.4.2, 7.2.0 through 7.2.9 and before 7.0.15, Fortinet FortiManager version 7.4.0 through 7.4.2, 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.14 and before 6.2.13, Fortinet FortiAnalyzer version 7.4.0 through 7.4.2, 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.14 and before 6.2.13, Fortinet FortiVoice version 7.0.0 through 7.0.2 before 6.4.8 and Fortinet FortiWeb before 7.4.2 may allow an unauthenticated attacker in a man-in-the-middle position to impersonate the management device (FortiCloud server or/and in certain conditions, FortiManager), via intercepting the FGFM authentication request between the management device and the managed device
Vulnerability Analysis
CVE-2024-26013 can be exploited with network access, requires user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
Improper Restriction of Communication Channel to Intended Endpoints
The software establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint.
Products Associated with CVE-2024-26013
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2024-26013 are published in these products:
Affected Versions
Fortinet FortiProxy:- Version 7.4.0, <= 7.4.2 is affected.
- Version 7.2.0, <= 7.2.9 is affected.
- Version 7.0.0, <= 7.0.15 is affected.
- Version 2.0.0, <= 2.0.14 is affected.
- Version 7.4.0, <= 7.4.2 is affected.
- Version 7.2.0, <= 7.2.4 is affected.
- Version 7.0.0, <= 7.0.11 is affected.
- Version 6.4.0, <= 6.4.14 is affected.
- Version 6.2.0, <= 6.2.13 is affected.
- Version 7.4.0, <= 7.4.3 is affected.
- Version 7.2.0, <= 7.2.7 is affected.
- Version 7.0.0, <= 7.0.14 is affected.
- Version 6.4.0, <= 6.4.15 is affected.
- Version 6.2.0, <= 6.2.16 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.