Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2024-33504
CVE-2024-33504:
Fortinet FortiManager vulnerability analysis and mitigation
Overview
A use of hard-coded cryptographic key vulnerability (CVE-2024-33504) was discovered in FortiManager affecting versions 7.6.0 through 7.6.1, 7.4.0 through 7.4.5, 7.2.0 through 7.2.9, and all versions of 7.0 and 6.4. The vulnerability was initially reported on March 15, 2024, and was publicly disclosed on February 11, 2025. This security flaw allows an attacker with JSON API access permissions to decrypt sensitive data even when the 'private-data-encryption' setting is enabled (Fortinet PSIRT, NVD).
Technical details
The vulnerability stems from the use of a publicly known AES-CBC encryption key (previously disclosed in CVE-2019-6693) to encrypt passwords in the FortiManager system. The flaw affects various password storage mechanisms, including local users, SDN Connectors, and Clearpass users passwords. The issue is compounded by improper buffer handling, where passwords are stored in a fixed 128-byte buffer without proper initialization, potentially leading to information disclosure from contiguous memory. The vulnerability has been assigned a CVSS v3.1 base score of 4.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N (GitHub Advisory).
Impact
The vulnerability can lead to the exposure of sensitive information, including usernames, ADOM names, and potentially internal system addresses. When decrypting passwords, the uninitialized portions of the buffer may reveal sensitive values from adjacent memory locations. This could potentially allow attackers to extract sensitive internal data from the system (GitHub Advisory).
Mitigation and workarounds
Fortinet has released patches to address this vulnerability. Users are advised to upgrade to FortiManager version 7.6.2 or above for 7.6 branch, 7.4.6 or above for 7.4 branch, and 7.2.10 or above for 7.2 branch. Users running versions 7.0 and 6.4 should migrate to a fixed release. For FortiManager Cloud, similar upgrade paths are recommended: 7.4.6 or above for 7.4 branch, and 7.2.9 or above for 7.2 branch (Fortinet PSIRT).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management