CVE-2024-21757

Name of the Vulnerable Software and Affected Versions: Fortinet FortiManager versions 7.0.0 through 7.0.10 Fortinet FortiManager versions 7.2.0 through 7.2.4 Fortinet FortiManager versions 7.4.0 through 7.4.1 Fortinet FortiAnalyzer versions 7.0.0 through 7.0.10 Fortinet FortiAnalyzer versions 7.2.0 through 7.2.4 Fortinet FortiAnalyzer versions 7.4.0 through 7.4.1

Description: The issue is related to an unverified password change in Fortinet FortiManager and Fortinet FortiAnalyzer, which allows an attacker to modify admin passwords via the device configuration backup. This is due to a lack of necessary checks when changing passwords. An attacker can exploit this to change administrator passwords.

Recommendations: For Fortinet FortiManager versions 7.0.0 through 7.0.10, update to a version that includes the fix for this issue. For Fortinet FortiManager versions 7.2.0 through 7.2.4, update to a version that includes the fix for this issue. For Fortinet FortiManager versions 7.4.0 through 7.4.1, update to a version that includes the fix for this issue. For Fortinet FortiAnalyzer versions 7.0.0 through 7.0.10, update to a version that includes the fix for this issue. For Fortinet FortiAnalyzer versions 7.2.0 through 7.2.4, update to a version that includes the fix for this issue. For Fortinet FortiAnalyzer versions 7.4.0 through 7.4.1, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the device configuration backup to minimize the risk of exploitation.