CVE-2024-26006

CVE-2024-26006 is an improper neutralization of input during web page generation vulnerability (CWE-79), enabling cross-site scripting (XSS) in the web SSL VPN UI of FortiOS versions 7.4.3 and below, 7.2.7 and below, and 7.0.13 and below, as well as FortiProxy versions 7.4.3 and below, 7.2.9 and below, and 7.0.16 and below. Published on 2025-03-14, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H).

A remote unauthenticated attacker can exploit this vulnerability by leveraging a malicious Samba server to inject scripts into the SSL VPN web UI. Exploitation requires high attack complexity and user interaction, such as a victim accessing the VPN portal in a way that triggers interaction with the attacker's controlled Samba server, potentially leading to high-impact confidentiality, integrity, and availability consequences within the user's browser context.

Fortinet's advisory at https://fortiguard.fortinet.com/psirt/FG-IR-23-485 provides details on affected versions and mitigation recommendations. Security practitioners should consult this reference for patching instructions and workarounds.