Missing Critical Step in Authentication

CVE-2024-52965

High

7.2/10

Summary

A missing critical step in authentication vulnerability [CWE-304] in Fortinet FortiOS version 7.6.0 through 7.6.1, 7.4.0 through 7.4.5, 7.2.0 through 7.2.10, and before 7.0.16 & FortiProxy version 7.6.0 through 7.6.1, 7.4.0 through 7.4.8, 7.2.0 through 7.2.13 and before 7.0.20 allows an API-user using api-key + PKI user certificate authentication to login even if the certificate is invalid.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: HIGH
Confidentiality Impact: HIGH
Availability Impact: HIGH

CWE-304 - Missing Critical Step in Authentication

The software implements an authentication technique, but it skips a step that weakens the technique.

References

Advisory Timeline

Published Jul 08, 2025

Missing Critical Step in Authentication

CVE-2024-52965

Summary

CWE-304 - Missing Critical Step in Authentication

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS