CVE-2024-52965

Name of the Vulnerable Software and Affected Versions: Fortinet FortiOS versions 7.0.0 through 7.0.15 Fortinet FortiOS versions 7.2.0 through 7.2.10 Fortinet FortiOS versions 7.4.0 through 7.4.5 Fortinet FortiOS versions 7.6.0 through 7.6.1 FortiProxy versions 7.0.0 through 7.0.19 FortiProxy versions 7.2.0 through 7.2.13 FortiProxy versions 7.4.0 through 7.4.8 FortiProxy versions 7.6.0 through 7.6.1

Description: A missing critical step in authentication allows an API-user using api-key + PKI user certificate authentication to login even if the certificate is invalid.

Recommendations: For Fortinet FortiOS versions 7.0.0 through 7.0.15, update to version 7.0.16 or later. For Fortinet FortiOS versions 7.2.0 through 7.2.10, update to a version after 7.2.10. For Fortinet FortiOS versions 7.4.0 through 7.4.5, update to a version after 7.4.5. For Fortinet FortiOS versions 7.6.0 through 7.6.1, update to a version after 7.6.1. For FortiProxy versions 7.0.0 through 7.0.19, update to version 7.0.20 or later. For FortiProxy versions 7.2.0 through 7.2.13, update to a version after 7.2.13. For FortiProxy versions 7.4.0 through 7.4.8, update to a version after 7.4.8. For FortiProxy versions 7.6.0 through 7.6.1, update to a version after 7.6.1.