CVE-2024-35273
Published: 14 January 2025
Summary
CVE-2024-35273 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Fortinet Fortianalyzer. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 46.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-35273 is an out-of-bounds write vulnerability (CWE-787) affecting Fortinet FortiManager versions 7.4.0 through 7.4.2 and FortiAnalyzer versions 7.4.0 through 7.4.2. The flaw arises from improper bounds checking, enabling an attacker to trigger the issue via specially crafted HTTP requests. It has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact on confidentiality, integrity, and availability.
An authenticated attacker with high privileges (PR:H) can exploit this vulnerability remotely over the network (AV:N) with low complexity (AC:L) and no user interaction required (UI:N). By sending malicious HTTP requests, the attacker can achieve privilege escalation, potentially gaining unauthorized access to higher-level permissions or full system compromise within the affected FortiManager or FortiAnalyzer instances.
Fortinet has published advisory FG-IR-24-106 at https://fortiguard.fortinet.com/psirt/FG-IR-24-106, which provides details on mitigation, including available patches for the vulnerable versions. Security practitioners should consult this advisory for upgrade instructions and apply fixes promptly to affected systems.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-35541
Vulnerability details
A out-of-bounds write in Fortinet FortiManager version 7.4.0 through 7.4.2, FortiAnalyzer version 7.4.0 through 7.4.2 allows attacker to escalation of privilege via specially crafted http requests.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Out-of-bounds write via authenticated HTTP requests directly enables local/remote privilege escalation to full system compromise on the management appliance.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the CVE by requiring timely remediation of the out-of-bounds write flaw through vendor patches as specified in the Fortinet advisory.
Prevents exploitation of the vulnerability by enforcing validation of specially crafted HTTP request inputs to ensure proper bounds checking.
Mitigates memory corruption from out-of-bounds writes using protections like ASLR and DEP, reducing privilege escalation success even if the flaw is triggered.