CVE Vulnerabilities

CVE-2024-50568

Channel Accessible by Non-Endpoint

Published: Jun 10, 2025 | Modified: Jul 25, 2025
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu

A channel accessible by non-endpoint vulnerability [CWE-300] in Fortinet FortiOS version 7.4.0 through 7.4.3, 7.2.0 through 7.2.7 and before 7.0.14 & FortiProxy version 7.4.0 through 7.4.3, 7.2.0 through 7.2.9 and before 7.0.16 allows an unauthenticated attacker with the knowledge of device specific data to spoof the identity of a downstream device of the security fabric via crafted TCP requests.

Weakness

The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.

Affected Software

Name Vendor Start Version End Version
Fortiproxy Fortinet 7.0.0 (including) 7.0.17 (excluding)
Fortiproxy Fortinet 7.2.0 (including) 7.2.10 (excluding)
Fortiproxy Fortinet 7.4.0 (including) 7.4.4 (excluding)

Potential Mitigations

References