CVE-2024-46665: 
FortiOS vulnerability analysis and mitigation

An insertion of sensitive information into sent data vulnerability (CVE-2024-46665) affects FortiOS versions 7.6.0 and 7.4.0 through 7.4.4. The vulnerability was discovered and disclosed on January 14, 2025, impacting the RADIUS accounting server functionality in FortiOS systems (Fortinet Advisory).

The vulnerability is classified as CWE-201 (Insertion of Sensitive Information Into Sent Data) with a CVSS v3.1 base score of 3.7 LOW (Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N). The issue specifically affects the RADIUS accounting server feature, where an attacker in a man-in-the-middle position could potentially intercept accounting-requests to retrieve the RADIUS accounting server shared secret (NVD Database).

The primary impact of this vulnerability is the potential exposure of sensitive information. An attacker who successfully exploits this vulnerability could obtain the RADIUS accounting server shared secret, which could lead to unauthorized access to authentication information (Fortinet Advisory).

Fortinet has provided multiple mitigation options: 1) Upgrade FortiOS 7.6.0 to version 7.6.1 or above, 2) Upgrade FortiOS 7.4.0-7.4.4 to version 7.4.5 or above. Additionally, two workarounds are available: using RADIUS over TLS or disabling the RADIUS accounting-server feature (Fortinet Advisory).