CVE-2024-26013

Name: CVE-2024-26013
Creator: NVD / NIST
Published: 2025-04-08T14:15:30.863+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.5/10EPSS 0.42%

Last modified Jun 17, 2026

CVE-2024-26013 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. A improper restriction of communication channel to intended endpoints vulnerability [CWE-923] in Fortinet FortiOS version 7.4.0 through 7.4.4, 7.2.0 through 7.2.8, 7.0.0 through 7.0.15, 6.4.0 through 6.4.15 and before 6.2.16, Fortinet FortiProxy version 7.4.0 through 7.4.2, 7.2.0 through 7.2.9 and before 7.0.15, Fortinet FortiManager version 7.4.0 through 7.4.2, 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.14 and before 6.2.13, Fortinet FortiAnalyzer version 7.4.0 through 7.4.2, 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.14 and before 6.2.13, Fortinet FortiVoice version 7.0.0 through 7.0.2 before 6.4.8 and Fortinet FortiWeb before 7.4.2 may allow an unauthenticated attacker in a man-in-the-middle position to impersonate the management device (FortiCloud server or/and in certain conditions, FortiManager), via intercepting the FGFM authentication request between the management device and the managed device. EPSS estimates a 0.42% chance of exploitation in the next 30 days.

Description

A improper restriction of communication channel to intended endpoints vulnerability [CWE-923] in Fortinet FortiOS version 7.4.0 through 7.4.4, 7.2.0 through 7.2.8, 7.0.0 through 7.0.15, 6.4.0 through 6.4.15 and before 6.2.16, Fortinet FortiProxy version 7.4.0 through 7.4.2, 7.2.0 through 7.2.9 and before 7.0.15, Fortinet FortiManager version 7.4.0 through 7.4.2, 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.14 and before 6.2.13, Fortinet FortiAnalyzer version 7.4.0 through 7.4.2, 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.14 and before 6.2.13, Fortinet FortiVoice version 7.0.0 through 7.0.2 before 6.4.8 and Fortinet FortiWeb before 7.4.2 may allow an unauthenticated attacker in a man-in-the-middle position to impersonate the management device (FortiCloud server or/and in certain conditions, FortiManager), via intercepting the FGFM authentication request between the management device and the managed device

Metrics

CVSS 3.1

7.5/10

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Probability

0.42%

33.5th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-923

Affected Software

Vendor	Product	Versions
Fortinet	Fortianalyzer	>= 6.2.0, < 6.2.14
Fortinet	Fortianalyzer	>= 6.4.0, < 6.4.15
Fortinet	Fortianalyzer	>= 7.0.0, < 7.0.12
Fortinet	Fortianalyzer	>= 7.2.0, < 7.2.5
Fortinet	Fortianalyzer	>= 7.4.0, < 7.4.3
Fortinet	Fortimanager	>= 6.2.0, < 6.2.14
Fortinet	Fortimanager	>= 6.4.0, < 6.4.15
Fortinet	Fortimanager	>= 7.0.0, < 7.0.12
Fortinet	Fortimanager	>= 7.2.0, < 7.2.5
Fortinet	Fortimanager	>= 7.4.0, < 7.4.3
Fortinet	Fortios	>= 6.4.0, < 7.0.16
Fortinet	Fortios	>= 7.2.0, < 7.2.9
Fortinet	Fortios	>= 7.4.0, < 7.4.5
Fortinet	Fortiproxy	>= 2.0.0, < 7.0.16
Fortinet	Fortiproxy	>= 7.2.0, < 7.2.10
Fortinet	Fortiproxy	>= 7.4.0, < 7.4.3
Fortinet	Fortivoice	>= 6.0.0, < 6.4.9
Fortinet	Fortivoice	>= 7.0.0, < 7.0.3
Fortinet	Fortiweb	>= 7.4.0, < 7.4.3

References

https://fortiguard.fortinet.com/psirt/FG-IR-24-046Vendor Advisory

Timeline

Published: Apr 8, 2025
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2024-26013?

How severe is CVE-2024-26013?

CVE-2024-26013 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 0.42% probability of exploitation in the next 30 days.

How do I fix CVE-2024-26013?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2024-26013?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST