PT-2025-6256 · Fortinet · Fortimanager
Loic Restoux
·
Published
2024-03-15
·
Updated
2025-02-13
·
CVE-2024-33504
CVSS v3.1
7.7
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions:
FortiManager versions 6.4 through 7.6.1
FortiManager version 7.0
Description:
The issue is related to the use of a hard-coded cryptographic key in the FortiManager interface, which can allow a remote attacker to disclose confidential information. This vulnerability may enable an attacker with JSON API access permissions to decrypt some secrets, even if the 'private-data-encryption' setting is enabled.
Recommendations:
For FortiManager versions 6.4 through 7.6.1, update to a version that does not use a hard-coded cryptographic key.
For FortiManager version 7.0, update to a version that does not use a hard-coded cryptographic key.
As a temporary workaround, consider restricting access to the JSON API to minimize the risk of exploitation.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Fortimanager