CVE-2024-52965: 
FortiOS vulnerability analysis and mitigation

A missing critical step in authentication vulnerability (CVE-2024-52965) was discovered in Fortinet FortiOS and FortiProxy products. The vulnerability was identified on July 8, 2025, affecting multiple versions of FortiOS (7.6.0-7.6.1, 7.4.0-7.4.5, 7.2.0-7.2.10, and versions before 7.0.16) and FortiProxy (7.6.0-7.6.1, 7.4.0-7.4.8, 7.2.0-7.2.13, and versions before 7.0.20). The vulnerability was internally discovered by Luca Pizziniaco from Fortinet's technical support team (Fortinet Advisory).

The vulnerability is classified as CWE-304 (Missing Critical Step in Authentication) and allows an API-user using api-key + PKI user certificate authentication to login even if the certificate is invalid. The vulnerability has been assigned a CVSSv3 score of 6.8, categorizing it as Medium severity. This security flaw specifically affects the GUI component of the affected systems (Fortinet Advisory, NVD).

The vulnerability results in improper access control, potentially allowing unauthorized access to affected systems through API authentication mechanisms. The successful exploitation could lead to authentication bypass when using PKI certificate-based authentication (Fortinet Advisory).

Fortinet has released patches for all affected versions. Users of FortiOS should upgrade to versions 7.6.3 or above, 7.4.6 or above, 7.2.11 or above, or 7.0.17 or above, depending on their current version. FortiProxy users should upgrade to versions 7.6.2 or above, 7.4.9 or above, 7.2.14 or above, or 7.0.21 or above. Fortinet provides an upgrade path tool to assist with the update process (Fortinet Advisory).