CVE-2024-33504

A use of hard-coded cryptographic key to encrypt sensitive data vulnerability [CWE-321] in FortiManager 7.6.0 through 7.6.1, 7.4.0 through 7.4.5, 7.2.0 through 7.2.9, 7.0 all versions, 6.4 all versions may allow an attacker with JSON API access permissions to decrypt some secrets even if the 'private-data-encryption' setting is enabled.

CVSS v3.0 7.7 HIGH

7.7^/10

CVSS v3.0 : HIGH

Vector :

Exploitability : 3.1 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://fortiguard.fortinet.com/psirt/FG-IR-24-094	Vendor Advisory
https://github.com/orangecertcc/security-research/security/advisories/GHSA-pgc3-m5p5-4vc3	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:fortinet:fortimanager::::::::
	cpe:2.3:a:fortinet:fortimanager::::::::
	cpe:2.3:a:fortinet:fortimanager::::::::

Configuration 2 (hide)

OR	cpe:2.3:a:fortinet:fortimanager_cloud::::::::
	cpe:2.3:a:fortinet:fortimanager_cloud::::::::

History

24 Jul 2025, 20:00

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.7
CPE		cpe:2.3:a:fortinet:fortimanager_cloud:::::::: cpe:2.3:a:fortinet:fortimanager::::::::
First Time		Fortinet fortimanager Cloud Fortinet Fortinet fortimanager
References	~~() https://github.com/orangecertcc/security-research/security/advisories/GHSA-pgc3-m5p5-4vc3 -~~	() https://github.com/orangecertcc/security-research/security/advisories/GHSA-pgc3-m5p5-4vc3 - Third Party Advisory
References	~~() https://fortiguard.fortinet.com/psirt/FG-IR-24-094 -~~	() https://fortiguard.fortinet.com/psirt/FG-IR-24-094 - Vendor Advisory

11 Feb 2025, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-02-11 17:15

Updated : 2025-07-24 20:00

NVD link : CVE-2024-33504

Mitre link : CVE-2024-33504

JSON object : View

Products Affected

fortinet

fortimanager_cloud
fortimanager

CWE

CWE-321

Use of Hard-coded Cryptographic Key

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-094", "name": "https://fortiguard.fortinet.com/psirt/FG-IR-24-094", "tags": ["Vendor Advisory"], "refsource": ""}, {"url": "https://github.com/orangecertcc/security-research/security/advisories/GHSA-pgc3-m5p5-4vc3", "name": "https://github.com/orangecertcc/security-research/security/advisories/GHSA-pgc3-m5p5-4vc3", "tags": ["Third Party Advisory"], "refsource": ""}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "A use of hard-coded cryptographic key to encrypt sensitive data vulnerability [CWE-321] in FortiManager 7.6.0 through 7.6.1, 7.4.0 through 7.4.5, 7.2.0 through 7.2.9, 7.0 all versions, 6.4 all versions may allow an attacker with JSON API access permissions to decrypt some secrets even if the 'private-data-encryption' setting is enabled."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-321"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2024-33504", "ASSIGNER": "psirt@fortinet.com"}}, "impact": {"baseMetricV3": {"cvssV3": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 3.1}}, "publishedDate": "2025-02-11T17:15Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "7.6.2", "versionStartIncluding": "7.6.0"}, {"cpe23Uri": "cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "7.4.6", "versionStartIncluding": "7.4.0"}, {"cpe23Uri": "cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "7.2.10", "versionStartIncluding": "6.4.0"}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:fortinet:fortimanager_cloud:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "7.2.9", "versionStartIncluding": "6.4.1"}, {"cpe23Uri": "cpe:2.3:a:fortinet:fortimanager_cloud:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "7.4.6", "versionStartIncluding": "7.4.1"}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2025-07-24T20:00Z"}