CVE-2024-35277

CVE-2024-35277 is a missing authentication vulnerability (CWE-306) in Fortinet FortiPortal versions 6.0.0 through 6.0.15 and FortiManager versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, and 6.4.0 through 6.4.14. The flaw stems from a lack of authentication for a critical function, enabling attackers to access configurations of managed devices by sending specifically crafted packets. It carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N), indicating high severity due to network accessibility, low complexity, no privileges or user interaction required, and scoped high-impact confidentiality loss.

A remote, unauthenticated attacker can exploit this vulnerability by transmitting crafted packets to an affected instance exposed over the network. Exploitation requires no privileges or user interaction, allowing the attacker to retrieve sensitive configuration data from devices managed by FortiPortal or FortiManager. This could reveal network topologies, credentials, policies, and other proprietary information, facilitating further attacks like lateral movement or reconnaissance.

The Fortinet PSIRT advisory provides details on mitigation and patching; refer to https://fortiguard.fortinet.com/psirt/FG-IR-24-135 for affected versions, workarounds, and upgrade guidance.