High severity8.1NVD Advisory· Published Aug 12, 2025· Updated Apr 20, 2026
CVE-2024-26009
CVE-2024-26009
Description
An authentication bypass using an alternate path or channel [CWE-288] vulnerability in Fortinet FortiOS 6.4.0 through 6.4.15, FortiOS 6.2.0 through 6.2.16, FortiOS 6.0 all versions, FortiPAM 1.2.0, FortiPAM 1.1.0 through 1.1.2, FortiPAM 1.0.0 through 1.0.3, FortiProxy 7.4.0 through 7.4.2, FortiProxy 7.2.0 through 7.2.8, FortiProxy 7.0.0 through 7.0.15, FortiSwitchManager 7.2.0 through 7.2.3, FortiSwitchManager 7.0.0 through 7.0.3 allows an unauthenticated attacker to seize control of a managed device via crafted FGFM requests, if the device is managed by a FortiManager, and if the attacker knows that FortiManager's serial number.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
7cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:*range: >=7.0.0,<7.0.16
- (no CPE)range: 7.4.0-7.4.2, 7.2.0-7.2.8, 7.0.0-7.0.15
- cpe:2.3:a:fortinet:fortiswitchmanager:*:*:*:*:*:*:*:*Range: >=7.0.0,<7.0.4
Patches
Vulnerability mechanics
References
1- fortiguard.fortinet.com/psirt/FG-IR-24-042nvdVendor Advisory
News mentions
0No linked articles in our index yet.