#VU107310 Use of Hard-coded Cryptographic Key in FortiManager - CVE-2024-33504

Cybersecurity Help s.r.o.

Published: 2025-04-09

Vulnerability identifier: #VU107310

Vulnerability risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-33504

CWE-ID: CWE-321

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
FortiManager
Server applications / IDS/IPS systems, Firewalls and proxy servers

Vendor: Fortinet, Inc

Description

The vulnerability allows a remote user to gain access to sensitive information.

The vulnerability exists due to usage of a hard-coded cryptographic key. A remote user with JSON API access permissions can decrypt some secrets even if the 'private-data-encryption' setting is enabled.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

FortiManager: 6.4.0 - 6.4.15, 7.0.0 - 7.0.14, 7.2.0 - 7.2.9, 7.4.0 - 7.4.5, 7.6.0 - 7.6.1

External links
https://fortiguard.fortinet.com/psirt/FG-IR-24-094
https://github.com/orangecertcc/security-research/security/advisories/GHSA-pgc3-m5p5-4vc3

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Use of hard-coded cryptographic key in FortiManager