Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2024-35277

CVE-2024-35277: Fortinet FortiManager Auth Bypass Flaw

CVE-2024-35277 is an authentication bypass vulnerability in Fortinet FortiManager allowing attackers to access managed device configurations. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2024-35277 Overview

CVE-2024-35277 is a missing authentication for critical function vulnerability [CWE-306] affecting Fortinet FortiPortal and FortiManager. Attackers can access the configuration of managed devices by sending specifically crafted packets to vulnerable instances. The flaw is reachable over the network without authentication or user interaction. Successful exploitation exposes managed device configurations, which can include policy data, credentials, and network topology details. Fortinet published advisory FG-IR-24-135 to address the issue across multiple FortiManager branches and FortiPortal 6.0.

Critical Impact

Unauthenticated network attackers can read configuration data from devices managed by affected FortiPortal and FortiManager systems.

Affected Products

  • Fortinet FortiPortal versions 6.0.0 through 6.0.15
  • Fortinet FortiManager versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14
  • Fortinet FortiManager Cloud (corresponding affected branches)

Discovery Timeline

  • 2025-01-14 - CVE-2024-35277 published to NVD
  • 2025-01-31 - Last updated in NVD database

Technical Details for CVE-2024-35277

Vulnerability Analysis

The vulnerability stems from a critical management function that does not enforce authentication on incoming requests. An attacker reaches the function by transmitting specifically crafted packets to the management service exposed by FortiPortal or FortiManager. The function returns or exposes configuration data for devices under management. Because authentication is absent rather than weak, no credential discovery or session hijacking is required to trigger the issue.

Exploitation impacts confidentiality of managed device configurations. Integrity and availability are not directly affected according to the published CVSS vector. The EPSS probability is 0.27% (percentile 50.671), indicating no widespread exploit activity has been observed at the time of writing.

Root Cause

The root cause is a missing authentication check [CWE-306] on a critical management function. The application exposes functionality that should be restricted to authenticated administrators without validating the caller's identity. This design oversight allows any network-reachable client to invoke the function and retrieve sensitive configuration state.

Attack Vector

The attack vector is network-based. An attacker with reachability to the FortiPortal or FortiManager management interface sends crafted packets targeting the vulnerable endpoint. No user interaction or prior privileges are required. Public exposure of management interfaces increases exploitability, and segmentation failures on internal networks enable lateral attackers to reach the service.

No public proof-of-concept code is currently available. Technical specifics are described in the Fortinet Security Advisory FG-IR-24-135.

Detection Methods for CVE-2024-35277

Indicators of Compromise

  • Unexpected requests to FortiManager or FortiPortal management endpoints from unknown source IP addresses
  • Outbound configuration export traffic from FortiManager or FortiPortal hosts to non-administrative endpoints
  • Anomalous read patterns against managed device configuration objects without preceding authentication events

Detection Strategies

  • Monitor management service logs for requests that reach configuration retrieval functions without an associated authenticated session
  • Compare source IPs hitting management ports against an allowlist of administrative workstations and jump hosts
  • Alert on high-volume or scripted access patterns targeting FortiManager APIs over short time windows

Monitoring Recommendations

  • Forward FortiManager, FortiManager Cloud, and FortiPortal logs to a centralized SIEM for correlation with network telemetry
  • Enable packet capture on management VLANs to retain evidence of crafted packet sequences for forensic review
  • Track changes to managed device configurations to detect downstream tampering that follows configuration disclosure

How to Mitigate CVE-2024-35277

Immediate Actions Required

  • Upgrade FortiManager and FortiManager Cloud to a fixed release as listed in FG-IR-24-135, and FortiPortal to a version beyond 6.0.15
  • Restrict network access to FortiManager and FortiPortal management interfaces to administrative subnets only
  • Audit recent management logs and network captures for signs of unauthenticated access to configuration functions

Patch Information

Fortinet has released fixed versions for affected FortiManager and FortiPortal branches. Refer to the Fortinet Security Advisory FG-IR-24-135 for the specific upgrade targets matching your deployed branch. Customers running FortiManager Cloud should validate that their tenant has been moved to a fixed build.

Workarounds

  • Place management interfaces behind a VPN or bastion host to remove direct internet reachability
  • Apply firewall rules limiting inbound connections to FortiManager and FortiPortal services to known administrator source addresses
  • Disable or block external access to the affected management endpoints until patching is complete

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.