CVE-2024-36506

FortiClientEMS - Improper verification of source of a communication channel in administrative interface

Posted Aug 6, 2024 Updated Jan 14, 2025

By Bryan Edwards

1 min read

CVE-2024-36506

Details

Vendor: Fortinet

Severity: Low

Impact: Improper Access Control

CVSSv3 Score: 3.5

Vulnerable Products

Version	Affected	Solution
FortiClientEMS Cloud	7.4 7.4.0	Upgrade to 7.4.1 or above
FortiClientEMS Cloud	7.2 7.2.0 through 7.2.4	Upgrade to 7.2.5 or above
FortiClientEMS Cloud	7.0 7.0 all versions	Migrate to a fixed release
FortiClientEMS Cloud	6.4 6.4 all versions	Migrate to a fixed release
FortiClientEMS 7.4	7.4.0	Upgrade to 7.4.1 or above
FortiClientEMS 7.2	7.2.0 through 7.2.4	Upgrade to 7.2.5 or above
FortiClientEMS 7.0	7.0 all versions	Migrate to a fixed release
FortiClientEMS 6.4	6.4 all versions	Migrate to a fixed release

Summary

An improper verification of source of a communication channel vulnerability (CWE-940) in FortiClientEMS may allow a remote attacker to bypass the trusted host feature via session connection.

Disclosure Timeline

gantt
    dateFormat  YYYY-MM-DD
    title       Coordinated Vulnerability Disclosure Timeline

    section CVE-2024-36506
    Discovery            :  des1, 2024-02-21, until des2
    Reported             :  des2, 2024-02-29, until des3
    Confirmation         :  des3, 2024-03-14, until des4
    CVE Issued           :  des4, 2024-05-29, until des5
    Patch Release        :  des5, 2024-10-09, until des6
    Public Release       :  des6, 2025-01-14, 7d

References

Fortiguard PSIRT: FG-IR-24-078

Mitre: CVE-2024-36506

Mitre: CWE-940

NIST Vulnerability Database: CVE-2024-36506

Security, CVE

This post is licensed under CC BY 4.0 by the author.