SecuriTricks - CVE-2024-40593

Description

A key management errors vulnerability in Fortinet FortiAnalyzer 7.4.0 through 7.4.2, FortiAnalyzer 7.2.0 through 7.2.5, FortiAnalyzer 7.0 all versions, FortiAnalyzer 6.4 all versions, FortiManager 7.4.0 through 7.4.2, FortiManager 7.2.0 through 7.2.5, FortiManager 7.0 all versions, FortiManager 6.4 all versions, FortiOS 7.6.0, FortiOS 7.4.4, FortiOS 7.2.7, FortiOS 7.0.14, FortiPortal 6.0 all versions may allow an authenticated admin to retrieve a certificate's private key via the device's admin shell.

Product(s) Impacted

Vendor	Product	Versions
Fortinet	Fortianalyzer Fortimanager Fortios Fortiportal	* * 7.0.14, 7.2.7, 7.4.4, 7.6.0 *

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-320

None

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	fortinet	fortianalyzer	/	/	/	/	/	/	/	/
a	fortinet	fortianalyzer	/	/	/	/	/	/	/	/
a	fortinet	fortimanager	/	/	/	/	/	/	/	/
a	fortinet	fortimanager	/	/	/	/	/	/	/	/
o	fortinet	fortios	7.0.14	/	/	/	/	/	/	/
o	fortinet	fortios	7.2.7	/	/	/	/	/	/	/
o	fortinet	fortios	7.4.4	/	/	/	/	/	/	/
o	fortinet	fortios	7.6.0	/	/	/	/	/	/	/
a	fortinet	fortiportal	/	/	/	/	/	/	/	/

References

https://fortiguard.fortinet.com/psirt/FG-IR-24-133

CVSS Score

6.0 / 10

CVSS Data - 3.1

Attack Vector: LOCAL
Attack Complexity: LOW
Privileges Required: HIGH
Scope: CHANGED
Confidentiality Impact: HIGH
Integrity Impact: NONE
Availability Impact: NONE

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

View Vector String

Timeline

Published: Dec. 11, 2025, 3:15 p.m.
Last Modified: Dec. 12, 2025, 6:28 p.m.

Status : Analyzed

CVE has had analysis completed and all data associations made.

More info

Source

psirt@fortinet.com

CVE-2024-40593