CVE-2024-52965

Published: Jul 8, 2025Modified: Jul 22, 2025

7.2

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.2 / Impact: 5.9

Source: psirt@fortinet.com (Secondary)

Description

A missing critical step in authentication vulnerability [CWE-304] in Fortinet FortiOS version 7.6.0 through 7.6.1, 7.4.0 through 7.4.5, 7.2.0 through 7.2.10, and before 7.0.16 & FortiProxy version 7.6.0 through 7.6.1, 7.4.0 through 7.4.8, 7.2.0 through 7.2.13 and before 7.0.20 allows an API-user using api-key + PKI user certificate authentication to login even if the certificate is invalid.

Affected (9)

Products: Fortinet: Fortios, Fortiproxy

Fortinet

2 products

Fortios

Fortiproxy

Configuration A

9 vulnerable

Vulnerable Software	Affected Versions
Fortinet Fortios	From 7.0.1 to 7.0.17
Fortinet Fortios	From 7.2.0 to 7.2.11
Fortinet Fortios	From 7.4.0 to 7.4.6
Fortinet Fortios	Version 7.6.0
Fortinet Fortios	Version 7.6.1
Fortinet Fortiproxy	From 7.0.0 to 7.0.21
Fortinet Fortiproxy	From 7.2.0 to 7.2.14
Fortinet Fortiproxy	From 7.4.0 to 7.4.9
Fortinet Fortiproxy	From 7.6.0 to 7.6.2

Related CWEs

CWE-304

Missing Critical Step in Authentication

The product implements an authentication technique, but it skips a step that weakens the technique.

References (1)

https://fortiguard.fortinet.com/psirt/FG-IR-24-511

Source: psirt@fortinet.com

Vendor Advisory

Timeline

No history available yet.