Unrated severityNVD Advisory· Published Jul 8, 2025· Updated Jul 8, 2025

CVE-2024-52965

Description

A missing critical step in authentication vulnerability [CWE-304] in Fortinet FortiOS version 7.6.0 through 7.6.1, 7.4.0 through 7.4.5, 7.2.0 through 7.2.10, and before 7.0.16 & FortiProxy version 7.6.0 through 7.6.1, 7.4.0 through 7.4.8, 7.2.0 through 7.2.13 and before 7.0.20 allows an API-user using api-key + PKI user certificate authentication to login even if the certificate is invalid.

Affected products

Fortinet/Fortiosv52 versions
cpe:2.3:o:fortinet:fortios:7.6.1:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:fortinet:fortios:7.6.1:*:*:*:*:*:*:*range: 7.6.0
- (no CPE)range: >=7.0.0, <7.0.16, >=7.2.0 <=7.2.10, >=7.4.0 <=7.4.5, >=7.6.0 <=7.6.1
Fortinet/Fortiproxyllm-fuzzy2 versions
>=7.0.0, <7.0.20, >=7.2.0 <=7.2.13, >=7.4.0 <=7.4.8, >=7.6.0 <=7.6.1+ 1 more
- (no CPE)range: >=7.0.0, <7.0.20, >=7.2.0 <=7.2.13, >=7.4.0 <=7.4.8, >=7.6.0 <=7.6.1
- (no CPE)range: 7.6.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

fortiguard.fortinet.com/psirt/FG-IR-24-511mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000