CVE-2024-40585

Published: Mar 14, 2025Modified: Jul 23, 2025

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: psirt@fortinet.com (Secondary)

Description

An insertion of sensitive information into log file vulnerabilities [CWE-532] in FortiManager version 7.4.0, version 7.2.3 and below, version 7.0.8 and below, version 6.4.12 and below, version 6.2.11 and below and FortiAnalyzer version 7.4.0, version 7.2.3 and below, version 7.0.8 and below, version 6.4.12 and below, version 6.2.11 and below eventlog may allow any low privileged user with access to event log section to retrieve certificate private key and encrypted password logged as system log.

Affected (8)

Products: Fortinet: Fortimanager, Fortianalyzer

Fortinet

2 products

Fortimanager

Fortianalyzer

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Fortinet Fortimanager	From 6.2.0 to 7.0.9
Fortinet Fortimanager	From 7.2.0 to 7.2.4
Fortinet Fortimanager	Version 7.4.0

Configuration B

5 vulnerable

Vulnerable Software	Affected Versions
Fortinet Fortianalyzer	From 6.2.0 to 6.2.12
Fortinet Fortianalyzer	From 6.4.0 to 6.4.13
Fortinet Fortianalyzer	From 7.0.0 to 7.0.9
Fortinet Fortianalyzer	From 7.2.0 to 7.2.4
Fortinet Fortianalyzer	Version 7.4.0

Related CWEs

CWE-532

Insertion of Sensitive Information into Log File

Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

References (1)

https://fortiguard.fortinet.com/psirt/FG-IR-24-311

Source: psirt@fortinet.com

Vendor Advisory

Timeline

No history available yet.