← Back

CVE-2021-41028

nvd nist
Published: Dec 16, 2021Modified: Nov 21, 2024

JSON object

Loading...
7.5
Vector
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitability: 1.6 / Impact: 5.9
Source: NVD

Description

A combination of a use of hard-coded cryptographic key vulnerability [CWE-321] in FortiClientEMS 7.0.1 and below, 6.4.6 and below and an improper certificate validation vulnerability [CWE-297] in FortiClientWindows, FortiClientLinux and FortiClientMac 7.0.1 and below, 6.4.6 and below may allow an unauthenticated and network adjacent attacker to perform a man-in-the-middle attack between the EMS and the FCT via the telemetry protocol.

Affected (18)

Fortinet
2 products
Forticlient
Forticlient Endpoint Management Server
Configuration A
18 vulnerable
Vulnerable SoftwareAffected Versions
Fortinet
Forticlient
From 6.2.0 to 6.2.9
Forticlient
From 6.4.0 to 6.4.6
Forticlient
From 6.0.0 to 6.0.9
Forticlient
From 6.2.0 to 6.2.9
Forticlient
From 6.4.0 to 6.4.6
Forticlient
From 6.0.0 to 6.0.9
Forticlient
From 6.2.0 to 6.2.9
Forticlient
From 6.4.0 to 6.4.6
Forticlient
Version 7.0.0
Forticlient
Version 7.0.0
Forticlient
Version 7.0.0
Forticlient
Version 7.0.1
Forticlient
Version 7.0.1
Forticlient
Version 7.0.1
Fortinet
Forticlient Endpoint Management Server
From 6.2.0 to 6.2.9
Forticlient Endpoint Management Server
From 6.4.0 to 6.4.6
Forticlient Endpoint Management Server
Version 7.0.0
Forticlient Endpoint Management Server
Version 7.0.1

Related CWEs

CWE-295
Improper Certificate Validation
The product does not validate, or incorrectly validates, a certificate.
CWE-798
Use of Hard-coded Credentials
The product contains hard-coded credentials, such as a password or cryptographic key.

References (2)

Source: psirt@fortinet.com
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory

Timeline

No history available yet.