CVE-2024-33503
Published: 14 January 2025
Summary
CVE-2024-33503 is a medium-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Fortinet Fortianalyzer. Its CVSS base score is 6.7 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 13.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-6 (Least Privilege).
Deeper analysis
CVE-2024-33503 is an improper privilege management vulnerability (CWE-266) affecting Fortinet FortiManager versions 7.4.0 through 7.4.3, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, and 6.4.0 through 6.4.14, as well as FortiAnalyzer versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, and 6.4.0 through 6.4.14. The issue enables privilege escalation through the execution of specific shell commands, with a CVSS v3.1 base score of 6.7 (AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
An attacker requires local access and high privileges (PR:H) to exploit this vulnerability, which has low attack complexity and no user interaction. Successful exploitation allows the attacker to escalate privileges, resulting in high impacts on confidentiality, integrity, and availability within the affected scope.
The Fortinet PSIRT advisory (FG-IR-24-127) at https://fortiguard.fortinet.com/psirt/FG-IR-24-127 provides details on affected versions and mitigation recommendations, including available patches. Security practitioners should consult this advisory for upgrade paths and workarounds.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-31241
Vulnerability details
A improper privilege management in Fortinet FortiManager version 7.4.0 through 7.4.3, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14, FortiAnalyzer version 7.4.0 through 7.4.2, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14 allows attacker to escalation of privilege…
more
via specific shell commands
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct local privilege escalation via shell command execution on Linux-based Fortinet appliances.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-6 Least Privilege directly counters the improper privilege management (CWE-269) by restricting high-privilege accounts from executing shell commands that enable escalation in FortiManager and FortiAnalyzer.
AC-2 Account Management ensures proper assignment, review, and revocation of privileges, mitigating the risk of improper privilege configurations leading to escalation via specific shell commands.
SI-2 Flaw Remediation requires applying vendor patches for CVE-2024-33503, directly eliminating the privilege escalation vulnerability in affected Fortinet products.