Which Fortinet products are affected by CVE-2024-26009?

Affected products include FortiOS versions 6.4.0 through 6.4.15, 6.2.0 through 6.2.16 and all FortiOS 6.0 versions; FortiProxy versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, and 7.0.0 through 7.0.15; FortiPAM all versions in 1.2, 1.1, and 1.0 branches; and FortiSwitchManager versions 7.2.0 through 7.2.3 and 7.0.0 through 7.0.3.

What are the specific requirements for exploiting CVE-2024-26009?

The exploit requires very specific conditions: attackers must know the FortiManager's serial number and the systems must be managed by FortiManager. This creates a targeted attack channel involving either disgruntled employees with knowledge of the FortiManager serial number or social engineering attacks to persuade someone to reveal the serial number.

What can attackers achieve by exploiting CVE-2024-26009?

Once the specific requirements are met, attackers can craft malicious FGFM requests to gain administrative-level access to the targeted infrastructure managed by FortiManager systems.

How should FortiOS users fix CVE-2024-26009?

FortiOS users should upgrade based on their current version: FortiOS 6.4 users should upgrade to version 6.4.16 or above, FortiOS 6.2 users should upgrade to 6.2.17 or above, and FortiOS 6.0 users must migrate to a new release entirely.

What are the upgrade paths for FortiProxy users affected by CVE-2024-26009?

FortiProxy users should update based on their version: FortiProxy 7.4.0 through 7.4.2 users should upgrade to version 7.4.3 or above, FortiProxy 7.2.0 through 7.2.8 users should update to 7.2.9 or above, and FortiProxy 7.0.0 through 7.0.15 should upgrade to 7.0.16 or above.

What should FortiPAM users do about CVE-2024-26009?

Legacy FortiPAM versions 1.0, 1.1, and 1.2 require complete migration to newer releases, as all versions in these branches are affected by the vulnerability.

How should FortiSwitchManager users address CVE-2024-26009?

FortiSwitchManager users should upgrade based on their version: FortiSwitchManager 7.2.0 through 7.2.3 users should upgrade to 7.2.4 or above, and FortiSwitchManager 7.0.0 through 7.0.3 should upgrade to 7.0.4 or above.

What additional security measures should organizations implement for CVE-2024-26009?

Organizations should prioritize proper isolation of the communication protocol and provide education to all administrators on the risks of social engineering attacks, since knowledge of the FortiManager serial number is a key requirement for exploitation.

Why is CVE-2024-26009 considered a peculiar vulnerability?

The vulnerability is considered peculiar because it has very specific exploit requirements involving insider knowledge (FortiManager serial numbers) and relies heavily on social engineering or insider threats, making it a targeted rather than widespread attack vector.

What is the FGFM protocol and why is it significant in this vulnerability?

FGFM stands for FortiGate-to-FortiManager protocol, which is designed for secure communication between FortiGate devices and central management systems. The vulnerability allows attackers to craft malicious FGFM requests to bypass authentication in this critical communication channel.

Advisory

Fortinet authentication bypass flaw enables device takeover

Q: What is CVE-2024-26009 and what does it affect?

CVE-2024-26009 is an authentication bypass vulnerability with a CVSS score of 7.9 affecting multiple Fortinet enterprise security products. It's an Authentication Bypass Using an Alternate Path or Channel in the FortiGate-to-FortiManager (FGFM) protocol, which is designed for secure communication between FortiGate devices and central management systems.

published: Aug. 13, 2025

Take action: If you are using FortiManager to manage Fortinet devices, make sure they are isolated from the internet and accessible only from trustef network. Communicate this flaw and the risk of phishing attempts to all admins. Finally, plan a patch process, which may be complex.

Learn More

Fortinet has patched a peculiar authentication bypass vulnerability affecting multiple enterprise security products.

The vulnerability is tracked as CVE-2024-26009 (CVSS score 7.9) - Authentication Bypass Using an Alternate Path or Channel in the The FortiGate-to-FortiManager (FGFM) protocol, designed for secure communication between FortiGate devices and central management systems. Attackers can craft malicious FGFM requests to target devices managed by FortiManager systems if they know the FortiManager's serial number.

The specific requirements of the exploit provides a very targeted channel of exploit - only systems where Fortinet systems are managed by FortiManager and:

Disgruntled employees with knowledge of the respective serial number of the FortiManager system.
Social engineering attacks that will persuade someone to give out the serial number of the FortiManager system.

Once these conditions are met, attackers can gain administrative-level access to the targeted infrastructure.

Affected products:

FortiOS versions 6.4.0 through 6.4.15, 6.2.0 through 6.2.16 and all FortiOS 6.0 versions;
FortiProxy versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, and 7.0.0 through 7.0.15;
FortiPAM all versions in 1.2, 1.1, and 1.0 branches;
FortiSwitchManager versions 7.2.0 through 7.2.3 and 7.0.0 through 7.0.3

Fortinet has provided remediation paths for each affected product:

FortiOS 6.4 users should upgrade to version 6.4.16 or above,
FortiOS 6.2 users should upgrade to 6.2.17 or above
FortiOS 6.0 usermust migrate to a new release
FortiProxy users must update to versions 7.0.16, 7.2.9, or 7.4.3, depending on their current installation
FortiProxy 7.4.0 through 7.4.2 users should upgrade to version 7.4.3 or above,
FortiProxy 7.2.0 through 7.2.8 users should update to 7.2.9 or above.
FortiProxy 7.0.0 through 7.0.15 should upgrade to 7.0.16 or above.
Legacy FortiPAM versions 1.0, 1.1, and 1.2 require complete migration to newer releases
FortiSwitchManager 7.2.0 through 7.2.3 users should upgrade to 7.2.4 or above,
FortiSwitchManager 7.0.0 through 7.0.3 should upgrade to 7.0.4 or above.

Naturally, proper isolation of the communication protocol is a first priority, as well as education of all administrators on risks of social engineering.

Fortinet authentication bypass flaw enables device takeover

Read More
ServiceNow fixes vulnerabilities in Now Platform
Ivanti Patches Critical Zero-Day RCE Flaws in EPMM
Critical issues reported in Invision Community forum software
OpenSSL Patches 12 Vulnerabilities Including One Critical RCE
Critical actively exploited flaw in WatchGuard Fireware OS …