CVE-2024-50568: A channel accessible by non-endpoint vulnerability [CWE-300] in Fortinet FortiOS version 7.4.0 through 7.4.3, 7.2.0 through 7.2.7 and before 7.0.14...
Description
A channel accessible by non-endpoint vulnerability [CWE-300] in Fortinet FortiOS version 7.4.0 through 7.4.3, 7.2.0 through 7.2.7 and before 7.0.14 & FortiProxy version 7.4.0 through 7.4.3, 7.2.0 through 7.2.9 and before 7.0.16 allows an unauthenticated attacker with the knowledge of device specific data to spoof the identity of a downstream device of the security fabric via crafted TCP requests.
Classification
CVE ID: CVE-2024-50568
CVSS Base Severity: MEDIUM
CVSS Base Score: 5.6
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P/RL:X/RC:C
Problem Types
Execute unauthorized code or commandsAffected Products
Vendor: Fortinet
Product: FortiOS, FortiProxy
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.01% (probability of being exploited)
EPSS Percentile: 0.31% (scored less or equal to compared to others)
EPSS Date: 2025-06-19 (when was this score calculated)
Stakeholder-Specific Vulnerability Categorization (SSVC)
SSVC Exploitation: none
SSVC Technical Impact: partial
SSVC Automatable: false
References
https://nvd.nist.gov/vuln/detail/CVE-2024-50568https://fortiguard.fortinet.com/psirt/FG-IR-24-058