SecuriTricks - CVE-2024-54027

Description

A Use of Hard-coded Cryptographic Key vulnerability [CWE-321] in FortiSandbox version 4.4.6 and below, version 4.2.7 and below, version 4.0.5 and below, version 3.2.4 and below, version 3.1.5 and below, version 3.0.7 to 3.0.5 may allow a privileged attacker with super-admin profile and CLI access to read sensitive data via CLI.

Product(s) Impacted

Vendor	Product	Versions
Fortinet	Fortisanbox	4.4.6, 4.2.7, 4.0.5, 3.2.4, 3.1.5, 3.0.7, 3.0.5

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-321

Use of Hard-coded Cryptographic Key

The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	fortinet	fortisanbox	4.4.6	/	/	/	/	/	/	/
a	fortinet	fortisanbox	4.2.7	/	/	/	/	/	/	/
a	fortinet	fortisanbox	4.0.5	/	/	/	/	/	/	/
a	fortinet	fortisanbox	3.2.4	/	/	/	/	/	/	/
a	fortinet	fortisanbox	3.1.5	/	/	/	/	/	/	/
a	fortinet	fortisanbox	3.0.7	/	/	/	/	/	/	/
a	fortinet	fortisanbox	3.0.5	/	/	/	/	/	/	/

References

https://fortiguard.fortinet.com/psirt/FG-IR-24-327

CVSS Score

8.2 / 10

CVSS Data

Attack Vector: LOCAL
Attack Complexity: LOW
Privileges Required: HIGH
Scope: CHANGED
Confidentiality Impact: HIGH
Integrity Impact: HIGH
Availability Impact: HIGH

View Vector String

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Date

Published: March 17, 2025, 2:15 p.m.
Last Modified: March 17, 2025, 2:15 p.m.

Status : Awaiting Analysis

CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.

More info

Source

psirt@fortinet.com

CVE-2024-54027