CVE-2024-33504

A use of hard-coded cryptographic key to encrypt sensitive data vulnerability [CWE-321] in FortiManager 7.6.0 through 7.6.1, 7.4.0 through 7.4.5, 7.2.0 through 7.2.9, 7.0 all versions, 6.4 all versions may allow an attacker with JSON API access permissions to decrypt some secrets even if the 'private-data-encryption' setting is enabled.

Published: Feb 11, 2025
Updated: Jul 25, 2025
CVE: CVE-2024-33504
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.7
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

CWEs:

CWE-321

Affected Software
References

Software	From	Fixed in
fortinet / fortimanager	7.6.0	7.6.2
fortinet / fortimanager	7.4.0	7.4.6
fortinet / fortimanager	6.4.0	7.2.10
fortinet / fortimanager_cloud	6.4.1	7.2.9
fortinet / fortimanager_cloud	7.4.1	7.4.6

https://fortiguard.fortinet.com/psirt/FG-IR-24-094
https://github.com/orangecertcc/security-research/security/advisories/GHSA-pgc3-m5p5-4vc3

Vulnerability Database

CVE-2024-33504

Deep Security Visibility Without the Complexity