CVE-2024-33504
Published: 11 February 2025
Description
Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system.
Security Summary
CVE-2024-33504 is a use of hard-coded cryptographic key vulnerability (CWE-321) affecting FortiManager versions 7.6.0 through 7.6.1, 7.4.0 through 7.4.5, 7.2.0 through 7.2.9, all versions of 7.0, and all versions of 6.4. The flaw enables decryption of some secrets even when the 'private-data-encryption' setting is enabled. It carries a CVSS v3.1 base score of 4.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N), indicating network accessibility, low attack complexity, high privileges required, no user interaction, changed scope, low confidentiality impact, and no integrity or availability effects.
Exploitation requires an attacker to possess JSON API access permissions on the affected FortiManager instance. With network access and these elevated privileges, the attacker can decrypt sensitive secrets protected by the hard-coded key, potentially exposing configuration data or other confidential information stored in the system.
Mitigation guidance is available in the Fortinet PSIRT advisory at https://fortiguard.fortinet.com/psirt/FG-IR-24-094 and the Orange Cyberdefense security advisory at https://github.com/orangecertcc/security-research/security/advisories/GHSA-pgc3-m5p5-4vc3.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability uses a hardcoded cryptographic key allowing attackers with JSON API access to decrypt sensitive passwords (T1552, T1081) and leak adjacent memory containing usernames/ADOM data (T1033), via exploitation for credential access (T1212).