CVSS: 5.9EPSS: 0%CPEs: 7EXPL: 0CVE-2024-50568
https://notcve.org/view.php?id=CVE-2024-50568
10 Jun 2025 — A channel accessible by non-endpoint vulnerability [CWE-300] in Fortinet FortiOS version 7.4.0 through 7.4.3, 7.2.0 through 7.2.7 and before 7.0.14 & FortiProxy version 7.4.0 through 7.4.3, 7.2.0 through 7.2.9 and before 7.0.16 allows an unauthenticated attacker with the knowledge of device specific data to spoof the identity of a downstream device of the security fabric via crafted TCP requests. • https://fortiguard.fortinet.com/psirt/FG-IR-24-058 • CWE-300: Channel Accessible by Non-Endpoint •
CVSS: 6.8EPSS: 0%CPEs: 9EXPL: 0CVE-2025-22254
https://notcve.org/view.php?id=CVE-2025-22254
10 Jun 2025 — An Improper Privilege Management vulnerability [CWE-269] affecting Fortinet FortiOS version 7.6.0 through 7.6.1, 7.4.0 through 7.4.6, 7.2.0 through 7.2.10, 7.0.0 through 7.0.16 and before 6.4.15, FortiProxy version 7.6.0 through 7.6.1 and before 7.4.7 & FortiWeb version 7.6.0 through 7.6.1 and before 7.4.6 allows an authenticated attacker with at least read-only admin permissions to gain super-admin privileges via crafted requests to Node.js websocket module. An Improper Privilege Management vulnerability [... • https://fortiguard.fortinet.com/psirt/FG-IR-25-006 • CWE-269: Improper Privilege Management •
CVSS: 4.8EPSS: 0%CPEs: 16EXPL: 0CVE-2024-50562
https://notcve.org/view.php?id=CVE-2024-50562
10 Jun 2025 — An Insufficient Session Expiration vulnerability [CWE-613] in FortiOS SSL-VPN version 7.6.0, version 7.4.6 and below, version 7.2.10 and below, 7.0 all versions, 6.4 all versions may allow an attacker in possession of a cookie used to log in the SSL-VPN portal to log in again, although the session has expired or was logged out. • https://fortiguard.fortinet.com/psirt/FG-IR-24-339 • CWE-613: Insufficient Session Expiration •
CVSS: 7.6EPSS: 0%CPEs: 14EXPL: 0CVE-2024-26013
https://notcve.org/view.php?id=CVE-2024-26013
08 Apr 2025 — A improper restriction of communication channel to intended endpoints vulnerability [CWE-923] in Fortinet FortiOS version 7.4.0 through 7.4.4, 7.2.0 through 7.2.8, 7.0.0 through 7.0.15, 6.4.0 through 6.4.15 and before 6.2.16, Fortinet FortiProxy version 7.4.0 through 7.4.2, 7.2.0 through 7.2.9 and before 7.0.15, Fortinet FortiManager version 7.4.0 through 7.4.2, 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.14 and before 6.2.13, Fortinet FortiAnalyzer version 7.4.0 through 7.4.2, 7.2.0 throug... • https://fortiguard.fortinet.com/psirt/FG-IR-24-046 • CWE-923: Improper Restriction of Communication Channel to Intended Endpoints •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2023-37930
https://notcve.org/view.php?id=CVE-2023-37930
08 Apr 2025 — Multiple issues including the use of uninitialized ressources [CWE-908] and excessive iteration [CWE-834] vulnerabilities in Fortinet FortiOS SSL VPN webmode version 7.4.0, version 7.2.0 through 7.2.5, version 7.0.1 through 7.0.11 and version 6.4.7 through 6.4.14 and Fortinet FortiProxy SSL VPN webmode version 7.2.0 through 7.2.6 and version 7.0.0 through 7.0.12 allows a VPN user to corrupt memory potentially leading to code or commands execution via specifically crafted requests. • https://fortiguard.com/psirt/FG-IR-23-165 • CWE-908: Use of Uninitialized Resource •
CVSS: 7.6EPSS: 0%CPEs: 7EXPL: 0CVE-2024-26006
https://notcve.org/view.php?id=CVE-2024-26006
14 Mar 2025 — An improper neutralization of input during web page Generation vulnerability [CWE-79] in FortiOS version 7.4.3 and below, version 7.2.7 and below, version 7.0.13 and below and FortiProxy version 7.4.3 and below, version 7.2.9 and below, version 7.0.16 and below web SSL VPN UI may allow a remote unauthenticated attacker to perform a Cross-Site Scripting attack via a malicious samba server. • https://fortiguard.fortinet.com/psirt/FG-IR-23-485 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.3EPSS: 0%CPEs: 19EXPL: 0CVE-2024-45324
https://notcve.org/view.php?id=CVE-2024-45324
11 Mar 2025 — A use of externally-controlled format string vulnerability [CWE-134] in FortiOS version 7.4.0 through 7.4.4, version 7.2.0 through 7.2.9, version 7.0.0 through 7.0.15 and before 6.4.15, FortiProxy version 7.4.0 through 7.4.6, version 7.2.0 through 7.2.12 and before 7.0.19, FortiPAM version 1.4.0 through 1.4.2 and before 1.3.1, FortiSRA version 1.4.0 through 1.4.2 and before 1.3.1 and FortiWeb version 7.4.0 through 7.4.5, version 7.2.0 through 7.2.10 and before 7.0.10 allows a privileged attacker to execute ... • https://fortiguard.fortinet.com/psirt/FG-IR-24-325 • CWE-134: Use of Externally-Controlled Format String •
CVSS: 6.7EPSS: 0%CPEs: 14EXPL: 0CVE-2023-40721
https://notcve.org/view.php?id=CVE-2023-40721
11 Feb 2025 — A use of externally-controlled format string vulnerability [CWE-134] in Fortinet FortiOS version 7.4.0 through 7.4.1 and before 7.2.6, FortiProxy version 7.4.0 and before 7.2.7, FortiPAM version 1.1.2 and before 1.0.3, FortiSwitchManager version 7.2.0 through 7.2.2 and before 7.0.2 allows a privileged attacker to execute arbitrary code or commands via specially crafted requests. • https://fortiguard.com/psirt/FG-IR-23-261 • CWE-134: Use of Externally-Controlled Format String •
CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0CVE-2024-54021
https://notcve.org/view.php?id=CVE-2024-54021
14 Jan 2025 — An improper neutralization of crlf sequences in http headers ('http response splitting') in Fortinet FortiOS 7.2.0 through 7.6.0, FortiProxy 7.2.0 through 7.4.5 allows attacker to execute unauthorized code or commands via crafted HTTP header. • https://fortiguard.fortinet.com/psirt/FG-IR-24-282 • CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') •
CVSS: 9.0EPSS: 0%CPEs: 8EXPL: 0CVE-2024-48886
https://notcve.org/view.php?id=CVE-2024-48886
14 Jan 2025 — A weak authentication in Fortinet FortiOS versions 7.4.0 through 7.4.4, 7.2.0 through 7.2.8, 7.0.0 through 7.0.15, 6.4.0 through 6.4.15, FortiProxy versions 7.4.0 through 7.4.4, 7.2.0 through 7.2.10, 7.0.0 through 7.0.17, 2.0.0 through 2.0.14, FortiManager versions 7.6.0 through 7.6.1, 7.4.1 through 7.4.3, FortiManager Cloud versions 7.4.1 through 7.4.3, FortiAnalyzer Cloud versions 7.4.1 through 7.4.3 allows attacker to execute unauthorized code or commands via a brute-force attack. • https://fortiguard.fortinet.com/psirt/FG-IR-24-221 • CWE-1390: Weak Authentication •