CVE-2024-33504

MEDIUM

FortiManager <7.6.1 - Memory Corruption

Title source: llm

Description

A use of hard-coded cryptographic key to encrypt sensitive data vulnerability [CWE-321] in FortiManager 7.6.0 through 7.6.1, 7.4.0 through 7.4.5, 7.2.0 through 7.2.9, 7.0 all versions, 6.4 all versions may allow an attacker with JSON API access permissions to decrypt some secrets even if the 'private-data-encryption' setting is enabled.

References (2)

Core 2

Core References

Vendor Advisory

https://fortiguard.fortinet.com/psirt/FG-IR-24-094

Third Party Advisory

https://github.com/orangecertcc/security-research/security/advisories/GHSA-pgc3-m5p5-4vc3

Scores

CVSS v3 4.1

EPSS 0.0028

EPSS Percentile 19.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-321

Status published

Products (2)

fortinet/fortimanager 6.4.0 - 7.2.10

fortinet/fortimanager_cloud 6.4.1 - 7.2.9

Published Feb 11, 2025

Tracked Since Feb 18, 2026