Cyber Resilience

CVE-2024-33503

Medium

Published: 14 January 2025

Published
14 January 2025
Modified
31 January 2025
KEV Added
Patch
CVSS Score v3.1 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0004 13.6th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-33503 is a medium-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Fortinet Fortianalyzer. Its CVSS base score is 6.7 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 13.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-6 (Least Privilege).

Deeper analysis

CVE-2024-33503 is an improper privilege management vulnerability (CWE-266) affecting Fortinet FortiManager versions 7.4.0 through 7.4.3, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, and 6.4.0 through 6.4.14, as well as FortiAnalyzer versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, and 6.4.0 through 6.4.14. The issue enables privilege escalation through the execution of specific shell commands, with a CVSS v3.1 base score of 6.7 (AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

An attacker requires local access and high privileges (PR:H) to exploit this vulnerability, which has low attack complexity and no user interaction. Successful exploitation allows the attacker to escalate privileges, resulting in high impacts on confidentiality, integrity, and availability within the affected scope.

The Fortinet PSIRT advisory (FG-IR-24-127) at https://fortiguard.fortinet.com/psirt/FG-IR-24-127 provides details on affected versions and mitigation recommendations, including available patches. Security practitioners should consult this advisory for upgrade paths and workarounds.

EU & UK References

Vulnerability details

A improper privilege management in Fortinet FortiManager version 7.4.0 through 7.4.3, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14, FortiAnalyzer version 7.4.0 through 7.4.2, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14 allows attacker to escalation of privilege…

more

via specific shell commands

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Direct local privilege escalation via shell command execution on Linux-based Fortinet appliances.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-45331Same product: Fortinet Fortianalyzer
CVE-2024-35273Same product: Fortinet Fortianalyzer
CVE-2024-35275Same product: Fortinet Fortianalyzer
CVE-2025-48418Same product: Fortinet Fortianalyzer
CVE-2025-68648Same product: Fortinet Fortianalyzer
CVE-2024-50563Same product: Fortinet Fortianalyzer
CVE-2024-35276Same product: Fortinet Fortianalyzer
CVE-2025-61848Same product: Fortinet Fortianalyzer
CVE-2024-40584Same product: Fortinet Fortianalyzer
CVE-2024-40591Same vendor: Fortinet

Affected Assets

fortinet
fortianalyzer
6.4.0 — 7.2.6 · 7.4.0 — 7.4.4
fortinet
fortianalyzer cloud
6.4.1 — 7.2.7 · 7.4.1 — 7.4.3
fortinet
fortimanager
6.4.0 — 7.2.6 · 7.4.0 — 7.4.4
fortinet
fortimanager cloud
7.0.1 — 7.2.7 · 7.4.1 — 7.4.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-6 Least Privilege directly counters the improper privilege management (CWE-269) by restricting high-privilege accounts from executing shell commands that enable escalation in FortiManager and FortiAnalyzer.

prevent

AC-2 Account Management ensures proper assignment, review, and revocation of privileges, mitigating the risk of improper privilege configurations leading to escalation via specific shell commands.

prevent

SI-2 Flaw Remediation requires applying vendor patches for CVE-2024-33503, directly eliminating the privilege escalation vulnerability in affected Fortinet products.

References