CVE-2024-50565: 
FortiOS vulnerability analysis and mitigation

A high-severity improper restriction of communication channel vulnerability (CVE-2024-50565) affects multiple Fortinet products including FortiOS, FortiProxy, FortiManager, FortiAnalyzer, FortiVoice, and FortiWeb. The vulnerability was discovered internally by Fortinet's security team and was disclosed on April 8, 2025. The affected versions include FortiOS 7.4.0 through 7.4.3, FortiProxy 7.4.0 through 7.4.2, FortiManager 7.4.0 through 7.4.2, FortiAnalyzer 7.4.0 through 7.4.2, FortiVoice 7.0.0 through 7.0.2, and FortiWeb 7.4.0 through 7.4.2, among other versions (Fortinet PSIRT).

The vulnerability is classified as an improper restriction of communication channel to intended endpoints [CWE-923]. It received a CVSS v3.1 Base Score of 3.1 (LOW) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N (NVD).

The vulnerability allows an unauthenticated attacker in a man-in-the-middle position to impersonate the management device (FortiCloud server or, under certain conditions, FortiManager) by intercepting the FGFM authentication request between the management device and the managed device (Fortinet PSIRT, SecurityWeek).

Fortinet has released patches for all affected products and versions. Users are advised to upgrade to the following versions: FortiAnalyzer 7.4.3 or above, FortiManager 7.4.3 or above, FortiOS 7.4.5 or above, FortiProxy 7.4.3 or above, FortiVoice 7.0.3 or above, and FortiWeb 7.4.3 or above. For older versions, users should migrate to a fixed release (Fortinet PSIRT).