CVE-2024-26009: 
FortiOS vulnerability analysis and mitigation

CVE-2024-26009 is an authentication bypass vulnerability using an alternate path or channel (CWE-288) that affects multiple Fortinet products including FortiOS, FortiProxy, and FortiPAM. The vulnerability was discovered internally by Théo Leleu of the Fortinet Product Security team and was initially published on August 12, 2025. This high-severity vulnerability, with a CVSS score of 7.9, affects various versions of FortiOS (6.4.0-6.4.15, 6.2.0-6.2.16, and all 6.0 versions), FortiProxy (7.4.0-7.4.2, 7.2.0-7.2.8, 7.0.0-7.0.15), and FortiPAM (all versions up to 1.2.0) (Fortinet Advisory, CERT-EU).

The vulnerability allows an unauthenticated attacker to seize control of a managed device through crafted FGFM requests. Two specific conditions must be met for successful exploitation: the target device must be managed by a FortiManager, and the attacker must know the FortiManager's serial number. The vulnerability has been assigned a CVSS v3.1 base score of 8.1 (High) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

If successfully exploited, this vulnerability allows an attacker to execute unauthorized code or commands and potentially seize complete control of the managed device. The high CVSS score reflects the significant potential impact on the confidentiality, integrity, and availability of the affected systems (Fortinet Advisory).

Fortinet has released security updates to address this vulnerability. Users of affected products should upgrade to the following versions: FortiOS users should upgrade to version 6.4.16 or above for the 6.4 branch, and 6.2.17 or above for the 6.2 branch. FortiProxy users should upgrade to versions 7.4.3, 7.2.9, or 7.0.16 or above, depending on their current branch. FortiPAM users on versions 1.0 through 1.2 should migrate to a fixed release. Users can follow the recommended upgrade path using Fortinet's upgrade tool (Fortinet Advisory).