CVE-2024-35277 Overview
CVE-2024-35277 is a missing authentication for critical function vulnerability [CWE-306] affecting Fortinet FortiPortal and FortiManager. Attackers can access the configuration of managed devices by sending specifically crafted packets to vulnerable instances. The flaw is reachable over the network without authentication or user interaction. Successful exploitation exposes managed device configurations, which can include policy data, credentials, and network topology details. Fortinet published advisory FG-IR-24-135 to address the issue across multiple FortiManager branches and FortiPortal 6.0.
Critical Impact
Unauthenticated network attackers can read configuration data from devices managed by affected FortiPortal and FortiManager systems.
Affected Products
- Fortinet FortiPortal versions 6.0.0 through 6.0.15
- Fortinet FortiManager versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14
- Fortinet FortiManager Cloud (corresponding affected branches)
Discovery Timeline
- 2025-01-14 - CVE-2024-35277 published to NVD
- 2025-01-31 - Last updated in NVD database
Technical Details for CVE-2024-35277
Vulnerability Analysis
The vulnerability stems from a critical management function that does not enforce authentication on incoming requests. An attacker reaches the function by transmitting specifically crafted packets to the management service exposed by FortiPortal or FortiManager. The function returns or exposes configuration data for devices under management. Because authentication is absent rather than weak, no credential discovery or session hijacking is required to trigger the issue.
Exploitation impacts confidentiality of managed device configurations. Integrity and availability are not directly affected according to the published CVSS vector. The EPSS probability is 0.27% (percentile 50.671), indicating no widespread exploit activity has been observed at the time of writing.
Root Cause
The root cause is a missing authentication check [CWE-306] on a critical management function. The application exposes functionality that should be restricted to authenticated administrators without validating the caller's identity. This design oversight allows any network-reachable client to invoke the function and retrieve sensitive configuration state.
Attack Vector
The attack vector is network-based. An attacker with reachability to the FortiPortal or FortiManager management interface sends crafted packets targeting the vulnerable endpoint. No user interaction or prior privileges are required. Public exposure of management interfaces increases exploitability, and segmentation failures on internal networks enable lateral attackers to reach the service.
No public proof-of-concept code is currently available. Technical specifics are described in the Fortinet Security Advisory FG-IR-24-135.
Detection Methods for CVE-2024-35277
Indicators of Compromise
- Unexpected requests to FortiManager or FortiPortal management endpoints from unknown source IP addresses
- Outbound configuration export traffic from FortiManager or FortiPortal hosts to non-administrative endpoints
- Anomalous read patterns against managed device configuration objects without preceding authentication events
Detection Strategies
- Monitor management service logs for requests that reach configuration retrieval functions without an associated authenticated session
- Compare source IPs hitting management ports against an allowlist of administrative workstations and jump hosts
- Alert on high-volume or scripted access patterns targeting FortiManager APIs over short time windows
Monitoring Recommendations
- Forward FortiManager, FortiManager Cloud, and FortiPortal logs to a centralized SIEM for correlation with network telemetry
- Enable packet capture on management VLANs to retain evidence of crafted packet sequences for forensic review
- Track changes to managed device configurations to detect downstream tampering that follows configuration disclosure
How to Mitigate CVE-2024-35277
Immediate Actions Required
- Upgrade FortiManager and FortiManager Cloud to a fixed release as listed in FG-IR-24-135, and FortiPortal to a version beyond 6.0.15
- Restrict network access to FortiManager and FortiPortal management interfaces to administrative subnets only
- Audit recent management logs and network captures for signs of unauthenticated access to configuration functions
Patch Information
Fortinet has released fixed versions for affected FortiManager and FortiPortal branches. Refer to the Fortinet Security Advisory FG-IR-24-135 for the specific upgrade targets matching your deployed branch. Customers running FortiManager Cloud should validate that their tenant has been moved to a fixed build.
Workarounds
- Place management interfaces behind a VPN or bastion host to remove direct internet reachability
- Apply firewall rules limiting inbound connections to FortiManager and FortiPortal services to known administrator source addresses
- Disable or block external access to the affected management endpoints until patching is complete
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

