CVE-2024-33504

CVE Database · CVE-2024-33504

CVE-2024-33504

· MEDIUMAnalyzed

CVSS v3.1

4.1

EPSS

0.28%

Published

Feb 11, 2025

Modified

Jul 24, 2025

Public PoC / Exploit (1)

All weaponized →

TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

A use of hard-coded cryptographic key to encrypt sensitive data vulnerability [CWE-321] in FortiManager 7.6.0 through 7.6.1, 7.4.0 through 7.4.5, 7.2.0 through 7.2.9, 7.0 all versions, 6.4 all versions may allow an attacker with JSON API access permissions to decrypt some secrets even if the 'private-data-encryption' setting is enabled.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N

Weaknesses (CWE)

CWE-321

Affected Products (5)

fortinet · fortimanager (up to 7.2.10)vulnerable

fortinet · fortimanager (up to 7.4.6)vulnerable

fortinet · fortimanager (up to 7.6.2)vulnerable

fortinet · fortimanager_cloud (up to 7.2.9)vulnerable

fortinet · fortimanager_cloud (up to 7.4.6)vulnerable

References (2)

https://fortiguard.fortinet.com/psirt/FG-IR-24-094

Vendor Advisory

https://github.com/orangecertcc/security-research/security/advisories/GHSA-pgc3-m5p5-4vc3

Third Party Advisory

KEV Catalog EPSS Scores Vendors All CVEs