CVE-2024-33503

Medium

Published: 14 January 2025

Published

14 January 2025

Modified

31 January 2025

KEV Added

—

Patch

—

CVSS Score 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0003 8.9th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-33503 is a medium-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Fortinet Fortianalyzer. Its CVSS base score is 6.7 (Medium).

Operationally, ranked at the 8.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-6 Least Privilege good match

prevent

AC-6 Least Privilege directly counters the improper privilege management (CWE-269) by restricting high-privilege accounts from executing shell commands that enable escalation in FortiManager and FortiAnalyzer.

AC-2 Account Management good match

prevent

AC-2 Account Management ensures proper assignment, review, and revocation of privileges, mitigating the risk of improper privilege configurations leading to escalation via specific shell commands.

SI-2 Flaw Remediation good match

prevent

SI-2 Flaw Remediation requires applying vendor patches for CVE-2024-33503, directly eliminating the privilege escalation vulnerability in affected Fortinet products.

NVD Description

A improper privilege management in Fortinet FortiManager version 7.4.0 through 7.4.3, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14, FortiAnalyzer version 7.4.0 through 7.4.2, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14 allows attacker to escalation of privilege…

via specific shell commands

Deeper analysisAI

CVE-2024-33503 is an improper privilege management vulnerability (CWE-266) affecting Fortinet FortiManager versions 7.4.0 through 7.4.3, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, and 6.4.0 through 6.4.14, as well as FortiAnalyzer versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, and 6.4.0 through 6.4.14. The issue enables privilege escalation through the execution of specific shell commands, with a CVSS v3.1 base score of 6.7 (AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

An attacker requires local access and high privileges (PR:H) to exploit this vulnerability, which has low attack complexity and no user interaction. Successful exploitation allows the attacker to escalate privileges, resulting in high impacts on confidentiality, integrity, and availability within the affected scope.

The Fortinet PSIRT advisory (FG-IR-24-127) at https://fortiguard.fortinet.com/psirt/FG-IR-24-127 provides details on affected versions and mitigation recommendations, including available patches. Security practitioners should consult this advisory for upgrade paths and workarounds.

Details

CWE(s): CWE-266 NVD-CWE-noinfo

Affected Products

fortinet

fortianalyzer

6.4.0 — 7.2.6 · 7.4.0 — 7.4.4

fortinet

fortianalyzer cloud

6.4.1 — 7.2.7 · 7.4.1 — 7.4.3

fortinet

fortimanager

6.4.0 — 7.2.6 · 7.4.0 — 7.4.4

fortinet

fortimanager cloud

7.0.1 — 7.2.7 · 7.4.1 — 7.4.4

CVEs Like This One

CVE-2024-45331Same product: Fortinet Fortianalyzer

CVE-2024-35275Same product: Fortinet Fortianalyzer

CVE-2025-68648Same product: Fortinet Fortianalyzer

CVE-2024-35273Same product: Fortinet Fortianalyzer

CVE-2024-50563Same product: Fortinet Fortianalyzer

CVE-2025-61848Same product: Fortinet Fortianalyzer

CVE-2025-48418Same product: Fortinet Fortianalyzer

CVE-2024-35276Same product: Fortinet Fortianalyzer

CVE-2024-40584Same product: Fortinet Fortianalyzer

CVE-2026-22572Same product: Fortinet Fortianalyzer

References

https://fortiguard.fortinet.com/psirt/FG-IR-24-127
Vendor Advisory · psirt@fortinet.com