CVE-2024-50568

Published: Jun 10, 2025Modified: Jul 25, 2025

5.9

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability: 2.2 / Impact: 3.6

Source: psirt@fortinet.com (Secondary)

Description

A channel accessible by non-endpoint vulnerability [CWE-300] in Fortinet FortiOS version 7.4.0 through 7.4.3, 7.2.0 through 7.2.7 and before 7.0.14 & FortiProxy version 7.4.0 through 7.4.3, 7.2.0 through 7.2.9 and before 7.0.16 allows an unauthenticated attacker with the knowledge of device specific data to spoof the identity of a downstream device of the security fabric via crafted TCP requests.

Affected (5)

Products: Fortinet: Fortiproxy, Fortios

2 products

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Fortinet Fortiproxy	From 7.0.0 to 7.0.17
Fortinet Fortiproxy	From 7.2.0 to 7.2.10
Fortinet Fortiproxy	From 7.4.0 to 7.4.4

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Fortinet Fortios	From 6.4.2 to 7.2.9
Fortinet Fortios	From 7.4.0 to 7.4.4

Related CWEs

Channel Accessible by Non-Endpoint

The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.

References (1)

https://fortiguard.fortinet.com/psirt/FG-IR-24-058

Source: psirt@fortinet.com

Vendor Advisory

Timeline

No history available yet.