A high-severity authentication bypass flaw in Fortinet products—tracked as CVE-2024-26009 with a CVSS score of 7.9—can allow unauthenticated attackers to gain full administrative control of managed devices by abusing the FortiGate-to-FortiManager (FGFM) protocol.
Authentication Bypass Using FGFM Enables Administrative Access
The flaw is an authentication bypass (CWE-288) in the FGFM communication path. Attackers can craft malicious FGFM requests to impersonate a managed FortiGate and issue commands through FortiManager, bypassing normal authentication checks. Successful exploitation can lead to execution of unauthorized commands and full device control.
Affected Products and Fixed Versions
The vulnerability affects multiple Fortinet products and legacy releases across product lines. Fortinet published specific upgrade targets for each product line to remediate the issue.
| Product | Affected Versions | Fixed Version / Action |
|---|---|---|
| FortiOS | 6.0 – 6.4.15 (includes 6.2.0 – 6.2.16 ranges called out) | Upgrade to 6.4.16 or later; 6.2.17 or later. (Cyber Security News) |
| FortiProxy | 7.0.0 – 7.0.15; 7.2.0 – 7.2.8; 7.4.0 – 7.4.2 | Upgrade to 7.0.16, 7.2.9, or 7.4.3 respectively. (Cyber Security News) |
| FortiPAM | 1.0, 1.1, 1.2 | Migrate from legacy FortiPAM releases; patches not available for these obsolete versions. (Cyber Security News) |
| FortiSwitchManager | 7.0 – 7.2.3 | See vendor guidance for upgrade paths. (Cyber Security News) |
Exploit Prerequisites and Expected Impact
Exploitation requires two main conditions: the target device must be managed by a FortiManager instance, and the attacker must know the FortiManager’s serial number, which the FGFM implementation uses as an authentication component. When exploited, the flaw permits administrative-level command execution on the managed device.
Mitigation and Patch Guidance
Fortinet recommends immediate patching to the fixed releases listed above. For legacy FortiPAM versions where patches are unavailable, Fortinet directs users to migrate to supported releases. Administrators should follow Fortinet’s documented upgrade procedures and tools to minimize service disruption during remediation.
Fortinet’s Product Security team, led by Théo Leleu, discovered the issue during routine security assessments. The vulnerability has been publicly disclosed alongside the CVE identifier to allow operators to prioritize patching and incident response.
