CVE Vulnerabilities

CVE-2024-33504

Use of Hard-coded Cryptographic Key

Published: Feb 11, 2025 | Modified: Jul 24, 2025
CVSS 3.x
7.7
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu

A use of hard-coded cryptographic key to encrypt sensitive data vulnerability [CWE-321] in FortiManager 7.6.0 through 7.6.1, 7.4.0 through 7.4.5, 7.2.0 through 7.2.9, 7.0 all versions, 6.4 all versions may allow an attacker with JSON API access permissions to decrypt some secrets even if the private-data-encryption setting is enabled.

Weakness

The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.

Affected Software

Name Vendor Start Version End Version
Fortimanager Fortinet 6.4.0 (including) 7.2.10 (excluding)
Fortimanager Fortinet 7.4.0 (including) 7.4.6 (excluding)
Fortimanager Fortinet 7.6.0 (including) 7.6.2 (excluding)

Potential Mitigations

References