CVE-2024-52965: 
FortiOS vulnerability analysis and mitigation

A missing critical step in authentication vulnerability [CWE-304] affects Fortinet FortiOS and FortiProxy products. The vulnerability, identified as CVE-2024-52965, was discovered internally by Fortinet's technical support team and publicly disclosed on July 8, 2025. The vulnerability affects multiple versions of FortiOS (7.0.1-7.0.16, 7.2.0-7.2.10, 7.4.0-7.4.5, 7.6.0-7.6.1) and FortiProxy (7.0.0-7.0.20, 7.2.0-7.2.13, 7.4.0-7.4.8, 7.6.0-7.6.1) (Fortinet PSIRT, NVD).

The vulnerability allows an API-user using api-key + PKI user certificate authentication to login even if the certificate is invalid. This represents a critical missing step in the authentication process. The vulnerability has been assigned a CVSS v3.1 base score of 7.2 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (Fortinet PSIRT).

The vulnerability results in improper access control, potentially allowing unauthorized access to affected systems. The high CVSS score indicates that successful exploitation could lead to significant security implications, including potential unauthorized system access and compromise of system integrity (Fortinet PSIRT).

Fortinet has released patches for all affected versions. Users should upgrade to the following versions: FortiOS 7.6.3 or above (for 7.6.x), 7.4.6 or above (for 7.4.x), 7.2.11 or above (for 7.2.x), 7.0.17 or above (for 7.0.x), and FortiProxy 7.6.2 or above (for 7.6.x), 7.4.9 or above (for 7.4.x), 7.2.14 or above (for 7.2.x), 7.0.21 or above (for 7.0.x). Users should follow the recommended upgrade path using Fortinet's upgrade tool (Fortinet PSIRT).