CVE-2024-52965
HIGHFortinet FortiOS <7.6.1 & FortiProxy <7.6.1 - Auth Bypass
Title source: llmDescription
A missing critical step in authentication vulnerability [CWE-304] in Fortinet FortiOS version 7.6.0 through 7.6.1, 7.4.0 through 7.4.5, 7.2.0 through 7.2.10, and before 7.0.16 & FortiProxy version 7.6.0 through 7.6.1, 7.4.0 through 7.4.8, 7.2.0 through 7.2.13 and before 7.0.20 allows an API-user using api-key + PKI user certificate authentication to login even if the certificate is invalid.
References (1)
Core 1
Core References
Vendor Advisory
https://fortiguard.fortinet.com/psirt/FG-IR-24-511
Scores
CVSS v3
7.2
EPSS
0.0013
EPSS Percentile
32.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-304
Status
published
Products (4)
fortinet/fortios
7.6.0
fortinet/fortios
7.6.1
fortinet/fortios
7.0.1 - 7.0.17
fortinet/fortiproxy
7.0.0 - 7.0.21
Published
Jul 08, 2025
Tracked Since
Feb 18, 2026