CVE-2024-26012
Published: 14 January 2025
Summary
CVE-2024-26012 is a medium-severity OS Command Injection (CWE-78) vulnerability in Fortinet Fortiap. Its CVSS base score is 6.7 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Network Device CLI (T1059.008); ranked at the 26.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-26012 is an OS command injection vulnerability (CWE-78) due to improper neutralization of special elements used in an OS command. It affects Fortinet FortiAP-S all 6.2 versions and 6.4.0 through 6.4.9; FortiAP-W2 all 6.4 versions, all 7.0 versions, 7.2.0 through 7.2.3, and 7.4.0 through 7.4.2; and FortiAP all 6.4 versions, all 7.0 versions, 7.2.0 through 7.2.3, and 7.4.0 through 7.4.2. The issue enables a local authenticated attacker to execute unauthorized code via the CLI. It carries a CVSS v3.1 base score of 6.7 (AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), rated as medium severity.
An attacker requires local access and high-privilege authentication (PR:H) to exploit the vulnerability with low complexity (AC:L) and no user interaction. Successful exploitation allows execution of arbitrary OS commands, resulting in high impacts to confidentiality, integrity, and availability, potentially leading to full compromise of the affected FortiAP device.
Mitigation details are available in the Fortinet PSIRT advisory at https://fortiguard.fortinet.com/psirt/FG-IR-23-405. Security practitioners should consult this reference for patching instructions and workarounds specific to the affected versions.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-23308
Vulnerability details
A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiAP-S 6.2 all verisons, and 6.4.0 through 6.4.9, FortiAP-W2 6.4 all versions, 7.0 all versions, 7.2.0 through 7.2.3, and 7.4.0 through 7.4.2, FortiAP 6.4…
more
all versions, 7.0 all versions, 7.2.0 through 7.2.3, and 7.4.0 through 7.4.2 allow a local authenticated attacker to execute unauthorized code via the CLI.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection via CLI on network device (FortiAP) directly maps to Network Device CLI execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates OS command injection by requiring validation of CLI inputs to neutralize special elements.
Addresses the specific flaw in FortiAP CLI by requiring timely remediation through vendor patching.
Limits exploitation potential by restricting high-privilege access required for local authenticated CLI attacks.