CVE-2024-33504

MEDIUM

FortiManager <7.6.1 - Memory Corruption

Title source: llm

Description

A use of hard-coded cryptographic key to encrypt sensitive data vulnerability [CWE-321] in FortiManager 7.6.0 through 7.6.1, 7.4.0 through 7.4.5, 7.2.0 through 7.2.9, 7.0 all versions, 6.4 all versions may allow an attacker with JSON API access permissions to decrypt some secrets even if the 'private-data-encryption' setting is enabled.

References (2)

[Vendor Advisory] https://fortiguard.fortinet.com/psirt/FG-IR-24-094

[Third Party Advisory] https://github.com/orangecertcc/security-research/security/advisories/GHSA-pgc3-m5p5-4vc3

Scores

CVSS v3 4.1

EPSS 0.0004

EPSS Percentile 12.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-321

Status published

Products (2)

fortinet/fortimanager 6.4.0 - 7.2.10

fortinet/fortimanager_cloud 6.4.1 - 7.2.9

Published Feb 11, 2025

Tracked Since Feb 18, 2026