CVE-2024-50568: 
FortiOS vulnerability analysis and mitigation

A channel accessible by non-endpoint vulnerability (CVE-2024-50568) was discovered in Fortinet FortiOS versions 7.4.0 through 7.4.3, 7.2.0 through 7.2.7, and versions before 7.0.14, as well as FortiProxy versions 7.4.0 through 7.4.3, 7.2.0 through 7.2.9, and versions before 7.0.16. The vulnerability was internally discovered and reported by Théo Leleu of the Fortinet Product Security team and was publicly disclosed on June 10, 2025 (Fortinet Advisory).

The vulnerability is classified as CWE-300 (Channel Accessible by Non-Endpoint) and received a CVSS v3.1 base score of 5.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N. This indicates that the vulnerability is network accessible, requires high attack complexity, needs no privileges or user interaction, has unchanged scope, and can impact integrity but not confidentiality or availability (NVD).

The vulnerability allows an unauthenticated attacker with knowledge of device-specific data to spoof the identity of a downstream device of the security fabric through crafted TCP requests. This could potentially lead to unauthorized code execution or commands being performed on the affected systems (Fortinet Advisory).

Fortinet has released patches to address this vulnerability. FortiOS users should upgrade to version 7.4.4 or above for 7.4.x branch, 7.2.9 or above for 7.2.x branch. FortiProxy users should upgrade to version 7.4.4 or above for 7.4.x branch, 7.2.10 or above for 7.2.x branch, or 7.0.17 or above for 7.0.x branch. Users of older versions should migrate to a fixed release (Fortinet Advisory).