CVE-2021-41028

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2021-41028
A combination of a use of hard-coded cryptographic key vulnerability [CWE-321] in FortiClientEMS 7.0.1 and below, 6.4.6 and below and an improper certificate validation vulnerability [CWE-297] in FortiClientWindows, FortiClientLinux and FortiClientMac 7.0.1 and below, 6.4.6 and below may allow an unauthenticated and network adjacent attacker to perform a man-in-the-middle attack between the EMS and the FCT via the telemetry protocol.

7.5 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.6 / Impact : 5.9

Attack Vector ADJACENT_NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

5.4 /10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:A/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 5.5 / Impact : 6.4

Access Vector ADJACENT_NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References
Link Resource
https://fortiguard.com/advisory/FG-IR-21-075 Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:fortinet:forticlient:*:*:*:*:*:macos:*:*
cpe:2.3:a:fortinet:forticlient:*:*:*:*:*:windows:*:*
cpe:2.3:a:fortinet:forticlient:*:*:*:*:*:linux:*:*
cpe:2.3:a:fortinet:forticlient:*:*:*:*:*:macos:*:*
cpe:2.3:a:fortinet:forticlient:*:*:*:*:*:windows:*:*
cpe:2.3:a:fortinet:forticlient:*:*:*:*:*:linux:*:*
cpe:2.3:a:fortinet:forticlient:*:*:*:*:*:macos:*:*
cpe:2.3:a:fortinet:forticlient:*:*:*:*:*:windows:*:*
cpe:2.3:a:fortinet:forticlient:7.0.0:*:*:*:*:linux:*:*
cpe:2.3:a:fortinet:forticlient:7.0.0:*:*:*:*:macos:*:*
cpe:2.3:a:fortinet:forticlient:7.0.0:*:*:*:*:windows:*:*
cpe:2.3:a:fortinet:forticlient:7.0.1:*:*:*:*:linux:*:*
cpe:2.3:a:fortinet:forticlient:7.0.1:*:*:*:*:macos:*:*
cpe:2.3:a:fortinet:forticlient:7.0.1:*:*:*:*:windows:*:*
cpe:2.3:a:fortinet:forticlient_endpoint_management_server:*:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:forticlient_endpoint_management_server:*:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:forticlient_endpoint_management_server:7.0.0:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:forticlient_endpoint_management_server:7.0.1:*:*:*:*:*:*:*
History

No history.

Information

Published : 2021-12-16 19:15

Updated : 2024-02-28 18:48

NVD link : CVE-2021-41028

Mitre link : CVE-2021-41028

CVE.ORG link : CVE-2021-41028

JSON object : View

Products Affected

fortinet

  • forticlient_endpoint_management_server
  • forticlient
CWE
CWE-295

Improper Certificate Validation

CWE-798

Use of Hard-coded Credentials