CVE-2024-26009: Fortinet FortiSwitchManager Auth Bypass

CVE-2024-26009 Overview

CVE-2024-26009 is an authentication bypass vulnerability [CWE-288] affecting multiple Fortinet products that use the FortiGate-to-FortiManager (FGFM) protocol. The flaw allows an unauthenticated remote attacker to seize control of a managed device by sending crafted FGFM requests. Exploitation requires the device to be managed by a FortiManager and the attacker to know the FortiManager's serial number. Affected products include FortiOS, FortiProxy, FortiPAM, and FortiSwitchManager across multiple version ranges. Fortinet published the advisory as FG-IR-24-042.

Critical Impact

An unauthenticated network attacker who knows the managing FortiManager serial number can take full administrative control of managed FortiOS, FortiProxy, FortiPAM, and FortiSwitchManager devices.

Affected Products

• Fortinet FortiOS 6.0 (all versions), 6.2.0 through 6.2.16, and 6.4.0 through 6.4.15
• Fortinet FortiProxy 7.0.0 through 7.0.15, 7.2.0 through 7.2.8, and 7.4.0 through 7.4.2
• Fortinet FortiPAM 1.0.0 through 1.0.3, 1.1.0 through 1.1.2, and 1.2.0
• Fortinet FortiSwitchManager 7.0.0 through 7.0.3 and 7.2.0 through 7.2.3

Discovery Timeline

• 2025-08-12 - CVE-2024-26009 published to NVD
• 2026-04-20 - Last updated in NVD database

Technical Details for CVE-2024-26009

Vulnerability Analysis

The vulnerability resides in the FortiGate-to-FortiManager (FGFM) protocol implementation used to manage Fortinet devices centrally. FGFM normally authenticates managed devices and the central FortiManager during management session establishment. This flaw provides an alternate path or channel that bypasses that authentication. An unauthenticated remote attacker who can reach the FGFM service and knows the managing FortiManager's serial number can impersonate the manager. The attacker can then issue management commands and effectively take control of the managed device. Successful exploitation compromises confidentiality, integrity, and availability of the managed Fortinet appliance. The attack complexity is elevated because the FortiManager serial number must be known in advance, which limits opportunistic exploitation.

Root Cause

The root cause is improper authentication of FGFM management requests, categorized under [CWE-288] (Authentication Bypass Using an Alternate Path or Channel). The protocol path treats possession of the FortiManager serial number as a sufficient trust anchor, allowing requests that should require full mutual authentication to be processed.

Attack Vector

The attack is conducted over the network against the FGFM service exposed by managed FortiOS, FortiProxy, FortiPAM, or FortiSwitchManager devices. The attacker crafts FGFM protocol requests that include the target FortiManager's serial number. No user interaction or prior authentication is required. The protocol vulnerability is described in detail in the Fortinet PSIRT Advisory FG-IR-24-042.

Detection Methods for CVE-2024-26009

Indicators of Compromise

• Unexpected FGFM connections from IP addresses that are not the authorized FortiManager appliance.
• Configuration changes on managed Fortinet devices that do not correlate with authorized FortiManager workflows or change windows.
• New or modified administrator accounts, policies, or VPN tunnels appearing on managed FortiOS, FortiProxy, FortiPAM, or FortiSwitchManager devices.
• Log entries showing repeated FGFM handshake attempts referencing the production FortiManager serial number from unknown sources.

Detection Strategies

• Restrict and monitor TCP port 541 (FGFM) traffic, alerting on any source other than the designated FortiManager.
• Correlate FortiManager audit logs with managed-device configuration change logs to identify changes that have no matching FortiManager workflow.
• Hunt for anomalous administrative sessions or CLI activity originating from the FGFM channel outside maintenance windows.

Monitoring Recommendations

• Forward FortiOS, FortiProxy, FortiPAM, and FortiSwitchManager system and event logs to a centralized SIEM for retention and correlation.
• Baseline normal FGFM traffic patterns, including expected source IP, frequency, and session duration, and alert on deviations.
• Track exposure of the FGFM service to untrusted networks using continuous external attack-surface monitoring.

How to Mitigate CVE-2024-26009

Immediate Actions Required

• Identify all FortiOS, FortiProxy, FortiPAM, and FortiSwitchManager devices in scope and confirm their versions against the affected ranges in FG-IR-24-042.
• Upgrade affected devices to a fixed release as specified in the Fortinet advisory.
• Restrict FGFM service exposure (TCP/541) to only the authorized FortiManager management IP addresses using local-in policies or upstream firewall rules.
• Treat the FortiManager serial number as sensitive operational data and limit its distribution.

Patch Information

Fortinet has published fixed versions in the PSIRT advisory FG-IR-24-042. Apply the upgrade path listed in the advisory for each affected product line: FortiOS 6.2 and 6.4 branches, FortiProxy 7.0, 7.2, and 7.4 branches, FortiPAM 1.0, 1.1, and 1.2 branches, and FortiSwitchManager 7.0 and 7.2 branches. FortiOS 6.0 is end-of-support and customers should migrate to a supported branch.

Workarounds

• If immediate patching is not possible, block inbound FGFM (TCP/541) traffic at the network perimeter and on the device using local-in policies, permitting only the authorized FortiManager source IP.
• Place managed Fortinet devices and the FortiManager on a dedicated, isolated management network not reachable from user or internet-facing segments.
• Rotate or restrict knowledge of the FortiManager serial number and audit who has access to FortiManager configuration exports.

# Example: restrict FGFM (TCP/541) to authorized FortiManager only
config firewall local-in-policy
    edit 1
        set intf "any"
        set srcaddr "FortiManager-IP"
        set dstaddr "all"
        set service "FGFM"
        set action accept
        set schedule "always"
    next
    edit 2
        set intf "any"
        set srcaddr "all"
        set dstaddr "all"
        set service "FGFM"
        set action deny
        set schedule "always"
    next
end