CVE-2024-47570 - Vulnerability Details

Description

An insertion of sensitive information into log file vulnerability [CWE-532] in FortiOS 7.4.0 through 7.4.3, 7.2.0 through 7.2.7, 7.0 all versions; FortiProxy 7.4.0 through 7.4.3, 7.2.0 through 7.2.11; FortiPAM 1.4 all versions, 1.3 all versions, 1.2 all versions, 1.1 all versions, 1.0 all versions and FortiSRA 1.4 all versions may allow a read-only administrator to retrieve API tokens of other administrators via observing REST API logs, if REST API logging is enabled (non-default configuration).

Published: 2025-12-09

Score: 6.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Fortinet

FortiSASE

unaffected

Version	Status	Constraints
`24.1.10`	affected	—

Fortinet

FortiProxy

unaffected

Version	Status	Constraints
`7.4.0`	affected	≤ 7.4.3
`7.2.0`	affected	≤ 7.2.11

Fortinet

FortiSRA

unaffected

Version	Status	Constraints
`1.4.0`	affected	≤ 1.4.3

Fortinet

FortiPAM

unaffected

Version	Status	Constraints
`1.4.0`	affected	≤ 1.4.3
`1.3.0`	affected	≤ 1.3.1
`1.2.0`	affected	—
`1.1.0`	affected	≤ 1.1.2
`1.0.0`	affected	≤ 1.0.3

Fortinet

FortiOS

unaffected

Version	Status	Constraints
`7.4.0`	affected	≤ 7.4.3
`7.2.0`	affected	≤ 7.2.7
`7.0.4`	affected	≤ 7.0.18

Configuration 1 [-]

OR	cpe:2.3:a:fortinet:fortiproxy::::::::
	cpe:2.3:a:fortinet:fortiproxy::::::::
	cpe:2.3:a:fortinet:fortisase:24.1.37:::::::*
	cpe:2.3:a:fortinet:fortisra::::::::
	cpe:2.3:o:fortinet:fortios::::::::
	cpe:2.3:o:fortinet:fortios::::::::
	cpe:2.3:o:fortinet:fortios::::::::
	cpe:2.3:o:fortinet:fortipam::::::::

No data.

No data available yet.

Remediation

Vendor Solution

Fortinet remediated this issue in FortiSASE version 24.1.c and hence customers do not need to perform any action. Upgrade to FortiProxy version 7.4.4 or above Upgrade to FortiProxy version 7.2.12 or above Upgrade to FortiSRA version 1.6.0 or above Upgrade to FortiSRA version 1.5.0 or above Upgrade to FortiPAM version 1.6.0 or above Upgrade to FortiPAM version 1.5.0 or above Upgrade to FortiOS version 7.6.0 or above Upgrade to FortiOS version 7.4.4 or above Upgrade to FortiOS version 7.2.8 or above

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00066.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://fortiguard.fortinet.com/psirt/FG-IR-24-268

History

Wed, 10 Dec 2025 20:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:fortinet:fortiproxy:::::::: cpe:2.3:a:fortinet:fortisase:24.1.37:::::::* cpe:2.3:a:fortinet:fortisra:::::::: cpe:2.3:o:fortinet:fortios:::::::: cpe:2.3:o:fortinet:fortipam::::::::

Tue, 09 Dec 2025 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 09 Dec 2025 17:45:00 +0000

Type	Values Removed	Values Added
Description		An insertion of sensitive information into log file vulnerability [CWE-532] in FortiOS 7.4.0 through 7.4.3, 7.2.0 through 7.2.7, 7.0 all versions; FortiProxy 7.4.0 through 7.4.3, 7.2.0 through 7.2.11; FortiPAM 1.4 all versions, 1.3 all versions, 1.2 all versions, 1.1 all versions, 1.0 all versions and FortiSRA 1.4 all versions may allow a read-only administrator to retrieve API tokens of other administrators via observing REST API logs, if REST API logging is enabled (non-default configuration).
First Time appeared		Fortinet Fortinet fortios Fortinet fortipam Fortinet fortiproxy Fortinet fortisase Fortinet fortisra
Weaknesses		CWE-532
CPEs		cpe:2.3:a:fortinet:fortiproxy:7.2.0:::::::* cpe:2.3:a:fortinet:fortiproxy:7.2.10:::::::* cpe:2.3:a:fortinet:fortiproxy:7.2.11:::::::* cpe:2.3:a:fortinet:fortiproxy:7.2.1:::::::* cpe:2.3:a:fortinet:fortiproxy:7.2.2:::::::* cpe:2.3:a:fortinet:fortiproxy:7.2.3:::::::* cpe:2.3:a:fortinet:fortiproxy:7.2.4:::::::* cpe:2.3:a:fortinet:fortiproxy:7.2.5:::::::* cpe:2.3:a:fortinet:fortiproxy:7.2.6:::::::* cpe:2.3:a:fortinet:fortiproxy:7.2.7:::::::* cpe:2.3:a:fortinet:fortiproxy:7.2.8:::::::* cpe:2.3:a:fortinet:fortiproxy:7.2.9:::::::* cpe:2.3:a:fortinet:fortiproxy:7.4.0:::::::* cpe:2.3:a:fortinet:fortiproxy:7.4.1:::::::* cpe:2.3:a:fortinet:fortiproxy:7.4.2:::::::* cpe:2.3:a:fortinet:fortiproxy:7.4.3:::::::* cpe:2.3:a:fortinet:fortisase:24.1.10:::::::* cpe:2.3:a:fortinet:fortisra:1.4.0:::::::* cpe:2.3:a:fortinet:fortisra:1.4.1:::::::* cpe:2.3:a:fortinet:fortisra:1.4.2:::::::* cpe:2.3:a:fortinet:fortisra:1.4.3:::::::* cpe:2.3:o:fortinet:fortios:7.0.10:::::::* cpe:2.3:o:fortinet:fortios:7.0.11:::::::* cpe:2.3:o:fortinet:fortios:7.0.12:::::::* cpe:2.3:o:fortinet:fortios:7.0.13:::::::* cpe:2.3:o:fortinet:fortios:7.0.14:::::::* cpe:2.3:o:fortinet:fortios:7.0.15:::::::* cpe:2.3:o:fortinet:fortios:7.0.16:::::::* cpe:2.3:o:fortinet:fortios:7.0.17:::::::* cpe:2.3:o:fortinet:fortios:7.0.18:::::::* cpe:2.3:o:fortinet:fortios:7.0.4:::::::* cpe:2.3:o:fortinet:fortios:7.0.5:::::::* cpe:2.3:o:fortinet:fortios:7.0.6:::::::* cpe:2.3:o:fortinet:fortios:7.0.7:::::::* cpe:2.3:o:fortinet:fortios:7.0.8:::::::* cpe:2.3:o:fortinet:fortios:7.0.9:::::::* cpe:2.3:o:fortinet:fortios:7.2.0:::::::* cpe:2.3:o:fortinet:fortios:7.2.1:::::::* cpe:2.3:o:fortinet:fortios:7.2.2:::::::* cpe:2.3:o:fortinet:fortios:7.2.3:::::::* cpe:2.3:o:fortinet:fortios:7.2.4:::::::* cpe:2.3:o:fortinet:fortios:7.2.5:::::::* cpe:2.3:o:fortinet:fortios:7.2.6:::::::* cpe:2.3:o:fortinet:fortios:7.2.7:::::::* cpe:2.3:o:fortinet:fortios:7.4.0:::::::* cpe:2.3:o:fortinet:fortios:7.4.1:::::::* cpe:2.3:o:fortinet:fortios:7.4.2:::::::* cpe:2.3:o:fortinet:fortios:7.4.3:::::::* cpe:2.3:o:fortinet:fortipam:1.0.0:::::::* cpe:2.3:o:fortinet:fortipam:1.0.1:::::::* cpe:2.3:o:fortinet:fortipam:1.0.2:::::::* cpe:2.3:o:fortinet:fortipam:1.0.3:::::::* cpe:2.3:o:fortinet:fortipam:1.1.0:::::::* cpe:2.3:o:fortinet:fortipam:1.1.1:::::::* cpe:2.3:o:fortinet:fortipam:1.1.2:::::::* cpe:2.3:o:fortinet:fortipam:1.2.0:::::::* cpe:2.3:o:fortinet:fortipam:1.3.0:::::::* cpe:2.3:o:fortinet:fortipam:1.3.1:::::::* cpe:2.3:o:fortinet:fortipam:1.4.0:::::::* cpe:2.3:o:fortinet:fortipam:1.4.1:::::::* cpe:2.3:o:fortinet:fortipam:1.4.2:::::::* cpe:2.3:o:fortinet:fortipam:1.4.3:::::::*
Vendors & Products		Fortinet Fortinet fortios Fortinet fortipam Fortinet fortiproxy Fortinet fortisase Fortinet fortisra
References		https://fortiguard.fortinet.com/psirt/FG-IR-24-268
Metrics		cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:C'}`

Subscriptions

Fortinet Fortios Fortipam Fortiproxy Fortisase Fortisra

MITRE

Status: PUBLISHED

Assigner: fortinet

Published: 2025-12-09T17:20:42.499Z

Updated: 2026-02-26T16:56:58.331Z

Reserved: 2024-09-27T16:19:24.136Z

Link: CVE-2024-47570

Vulnrichment

Updated: 2025-12-09T18:05:26.021Z

NVD

Status : Analyzed

Published: 2025-12-09T18:15:47.590

Modified: 2025-12-10T20:32:21.217

Link: CVE-2024-47570

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-532

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object