CISA Known Exploited Vulnerabilities Catalog

For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild. Organizations should use the KEV catalog as an input to their vulnerability management prioritization framework.Y

    9.8

    CVSS31
    CVE-2024-55591 - Fortinet FortiOS Authorization Bypass Vulnerability -

    Action Due Jan 21, 2025 Target Vendor : Fortinet

    Description : Fortinet FortiOS contains an authorization bypass vulnerability that may allow an unauthenticated remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module.

    Action : Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

    Known To Be Used in Ransomware Campaigns? : Unknown

    Notes : https://fortiguard.fortinet.com/psirt/FG-IR-24-535 ; https://nvd.nist.gov/vuln/detail/CVE-2024-55591

    Alert Date: Jan 14, 2025 | 62 days ago

    9.8

    CVSS31
    CVE-2024-47575 - Fortinet FortiManager Missing Authentication Vulnerability -

    Action Due Nov 13, 2024 Target Vendor : Fortinet

    Description : Fortinet FortiManager contains a missing authentication vulnerability in the fgfmd daemon that allows a remote, unauthenticated attacker to execute arbitrary code or commands via specially crafted requests.

    Action : Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

    Known To Be Used in Ransomware Campaigns? : Unknown

    Notes : https://fortiguard.fortinet.com/psirt/FG-IR-24-423 ; https://nvd.nist.gov/vuln/detail/CVE-2024-47575

    Alert Date: Oct 23, 2024 | 145 days ago

    9.8

    CVSS31
    CVE-2024-23113 - Fortinet Multiple Products Format String Vulnerability -

    Action Due Oct 30, 2024 Target Vendor : Fortinet

    Description : Fortinet FortiOS, FortiPAM, FortiProxy, and FortiWeb contain a format string vulnerability that allows a remote, unauthenticated attacker to execute arbitrary code or commands via specially crafted requests.

    Action : Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

    Known To Be Used in Ransomware Campaigns? : Unknown

    Notes : https://www.fortiguard.com/psirt/FG-IR-24-029 ; https://nvd.nist.gov/vuln/detail/CVE-2024-23113

    Alert Date: Oct 09, 2024 | 159 days ago

    9.8

    CVSS31
    CVE-2023-48788 - Fortinet FortiClient EMS SQL Injection Vulnerability -

    Action Due Apr 15, 2024 Target Vendor : Fortinet

    Description : Fortinet FortiClient EMS contains a SQL injection vulnerability that allows an unauthenticated attacker to execute commands as SYSTEM via specifically crafted requests.

    Action : Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

    Known To Be Used in Ransomware Campaigns? : Known

    Notes : https://www.fortiguard.com/psirt/FG-IR-24-007; https://nvd.nist.gov/vuln/detail/CVE-2023-48788

    Alert Date: Mar 25, 2024 | 357 days ago

    9.8

    CVSS31
    CVE-2024-21762 - Fortinet FortiOS Out-of-Bound Write Vulnerability -

    Action Due Feb 16, 2024 Target Vendor : Fortinet

    Description : Fortinet FortiOS contains an out-of-bound write vulnerability that allows a remote unauthenticated attacker to execute code or commands via specially crafted HTTP requests.

    Action : Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

    Known To Be Used in Ransomware Campaigns? : Unknown

    Notes : https://fortiguard.fortinet.com/psirt/FG-IR-24-015 ; https://nvd.nist.gov/vuln/detail/CVE-2024-21762

    Alert Date: Feb 09, 2024 | 402 days ago

    9.8

    CVSS31
    CVE-2023-27997 - Fortinet FortiOS and FortiProxy SSL-VPN Heap-Based Buffer Overflow Vulnerability -

    Action Due Jul 04, 2023 Target Vendor : Fortinet

    Description : Fortinet FortiOS and FortiProxy SSL-VPN contain a heap-based buffer overflow vulnerability which can allow an unauthenticated, remote attacker to execute code or commands via specifically crafted requests.

    Action : Apply updates per vendor instructions.

    Known To Be Used in Ransomware Campaigns? : Known

    Notes : https://www.fortiguard.com/psirt/FG-IR-23-097; https://nvd.nist.gov/vuln/detail/CVE-2023-27997

    Alert Date: Jun 13, 2023 | 643 days ago

    7.1

    CVSS31
    CVE-2022-41328 - Fortinet FortiOS Path Traversal Vulnerability -

    Action Due Apr 04, 2023 Target Vendor : Fortinet

    Description : Fortinet FortiOS contains a path traversal vulnerability that may allow a local privileged attacker to read and write files via crafted CLI commands.

    Action : Apply updates per vendor instructions.

    Known To Be Used in Ransomware Campaigns? : Unknown

    Notes : https://www.fortiguard.com/psirt/FG-IR-22-369; https://nvd.nist.gov/vuln/detail/CVE-2022-41328

    Alert Date: Mar 14, 2023 | 734 days ago

    9.8

    CVSS31
    CVE-2022-42475 - Fortinet FortiOS Heap-Based Buffer Overflow Vulnerability -

    Action Due Jan 03, 2023 Target Vendor : Fortinet

    Description : Multiple versions of Fortinet FortiOS SSL-VPN contain a heap-based buffer overflow vulnerability which can allow an unauthenticated, remote attacker to execute arbitrary code or commands via specifically crafted requests.

    Action : Apply updates per vendor instructions.

    Known To Be Used in Ransomware Campaigns? : Unknown

    Notes : https://www.fortiguard.com/psirt/FG-IR-22-398; https://nvd.nist.gov/vuln/detail/CVE-2022-42475

    Alert Date: Dec 13, 2022 | 825 days ago

    9.8

    CVSS31
    CVE-2022-40684 - Fortinet Multiple Products Authentication Bypass Vulnerability -

    Action Due Nov 01, 2022 Target Vendor : Fortinet

    Description : Fortinet FortiOS, FortiProxy, and FortiSwitchManager contain an authentication bypass vulnerability that could allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.

    Action : Apply updates per vendor instructions.

    Known To Be Used in Ransomware Campaigns? : Known

    Notes : https://www.fortiguard.com/psirt/FG-IR-22-377; https://nvd.nist.gov/vuln/detail/CVE-2022-40684

    Alert Date: Oct 11, 2022 | 888 days ago

    4.3

    CVSS31
    CVE-2018-13374 - Fortinet FortiOS and FortiADC Improper Access Control Vulnerability -

    Action Due Sep 29, 2022 Target Vendor : Fortinet

    Description : Fortinet FortiOS and FortiADC contain an improper access control vulnerability that allows attackers to obtain the LDAP server login credentials configured in FortiGate by pointing a LDAP server connectivity test request to a rogue LDAP server.

    Action : Apply updates per vendor instructions.

    Known To Be Used in Ransomware Campaigns? : Known

    Notes : https://www.fortiguard.com/psirt/FG-IR-18-157; https://nvd.nist.gov/vuln/detail/CVE-2018-13374

    Alert Date: Sep 08, 2022 | 921 days ago

    9.1

    CVSS31
    CVE-2018-13382 - Fortinet FortiOS and FortiProxy Improper Authorization -

    Action Due Jul 10, 2022 Target Vendor : Fortinet

    Description : An Improper Authorization vulnerability in Fortinet FortiOS and FortiProxy under SSL VPN web portal allows an unauthenticated attacker to modify the password.

    Action : Apply updates per vendor instructions.

    Known To Be Used in Ransomware Campaigns? : Known

    Notes : https://nvd.nist.gov/vuln/detail/CVE-2018-13382

    Alert Date: Jan 10, 2022 | 1162 days ago

    6.5

    CVSS31
    CVE-2018-13383 - Fortinet FortiOS and FortiProxy Out-of-bounds Write -

    Action Due Jul 10, 2022 Target Vendor : Fortinet

    Description : A heap buffer overflow in Fortinet FortiOS and FortiProxy may cause the SSL VPN web service termination for logged in users.

    Action : Apply updates per vendor instructions.

    Known To Be Used in Ransomware Campaigns? : Known

    Notes : https://nvd.nist.gov/vuln/detail/CVE-2018-13383

    Alert Date: Jan 10, 2022 | 1162 days ago

    7.8

    CVSS31
    CVE-2021-44168 - Fortinet FortiOS Arbitrary File Download -

    Action Due Dec 24, 2021 Target Vendor : Fortinet

    Description : Fortinet FortiOS "execute restore src-vis" downloads code without integrity checking, allowing an attacker to arbitrarily download files.

    Action : Apply updates per vendor instructions.

    Known To Be Used in Ransomware Campaigns? : Unknown

    Notes : https://nvd.nist.gov/vuln/detail/CVE-2021-44168

    Alert Date: Dec 10, 2021 | 1193 days ago

    6.5

    CVSS31
    CVE-2019-5591 - Fortinet FortiOS Default Configuration Vulnerability -

    Action Due May 03, 2022 Target Vendor : Fortinet

    Description : Fortinet FortiOS contains a default configuration vulnerability that may allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the Lightweight Directory Access Protocol (LDAP) server.

    Action : Apply updates per vendor instructions.

    Known To Be Used in Ransomware Campaigns? : Unknown

    Notes : https://nvd.nist.gov/vuln/detail/CVE-2019-5591

    Alert Date: Nov 03, 2021 | 1230 days ago

    9.8

    CVSS31
    CVE-2020-12812 - Fortinet FortiOS SSL VPN Improper Authentication Vulnerability -

    Action Due May 03, 2022 Target Vendor : Fortinet

    Description : Fortinet FortiOS SSL VPN contains an improper authentication vulnerability that may allow a user to login successfully without being prompted for the second factor of authentication (FortiToken) if they change the case in their username.

    Action : Apply updates per vendor instructions.

    Known To Be Used in Ransomware Campaigns? : Known

    Notes : https://nvd.nist.gov/vuln/detail/CVE-2020-12812

    Alert Date: Nov 03, 2021 | 1230 days ago

    9.8

    CVSS31
    CVE-2018-13379 - Fortinet FortiOS SSL VPN Path Traversal Vulnerability -

    Action Due May 03, 2022 Target Vendor : Fortinet

    Description : Fortinet FortiOS SSL VPN web portal contains a path traversal vulnerability that may allow an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource requests.

    Action : Apply updates per vendor instructions.

    Known To Be Used in Ransomware Campaigns? : Known

    Notes : https://nvd.nist.gov/vuln/detail/CVE-2018-13379

    Alert Date: Nov 03, 2021 | 1230 days ago
Showing 20 of 16 Results

Filters

© cvefeed.io
Latest DB Update: Mar. 17, 2025 21:20