CVE-2024-21754: A use of password hash with insufficient computational effort vulnerability [CWE-916] affecting FortiOS version 7.4.3 and below, 7.2 all versions,...
Description
A use of password hash with insufficient computational effort vulnerability [CWE-916] affecting FortiOS version 7.4.3 and below, 7.2 all versions, 7.0 all versions, 6.4 all versions and FortiProxy version 7.4.2 and below, 7.2 all versions, 7.0 all versions, 2.0 all versions may allow a privileged attacker with super-admin profile and CLI access to decrypting the backup file.
Classification
CVE ID: CVE-2024-21754
CVSS Base Severity: LOW
CVSS Base Score: 1.8
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N
Problem Types
Improper access controlAffected Products
Vendor: Fortinet
Product: FortiProxy, FortiOS
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.36% (probability of being exploited)
EPSS Percentile: 57.46% (scored less or equal to compared to others)
EPSS Date: 2025-05-30 (when was this score calculated)
Stakeholder-Specific Vulnerability Categorization (SSVC)
SSVC Exploitation: none
SSVC Technical Impact: egress
SSVC Automatable: false
References
https://nvd.nist.gov/vuln/detail/CVE-2024-21754https://fortiguard.fortinet.com/psirt/FG-IR-23-423