Cyber Resilience

CVE-2024-35275

Medium

Published: 14 January 2025

Published
14 January 2025
Modified
31 January 2025
KEV Added
Patch
CVSS Score v3.1 6.6 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0032 55.9th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-35275 is a medium-severity SQL Injection (CWE-89) vulnerability in Fortinet Fortianalyzer. Its CVSS base score is 6.6 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 44.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-35275 is an SQL injection vulnerability (CWE-89) due to improper neutralization of special elements used in an SQL command. It affects Fortinet FortiAnalyzer versions 7.4.0 through 7.4.2 and FortiManager versions 7.4.0 through 7.4.2. The flaw allows attackers to achieve privilege escalation via specially crafted HTTP requests.

Exploitation is possible over the network (AV:N) by an attacker with high privileges (PR:H) on the affected system, though it requires high attack complexity (AC:H) and no user interaction (UI:N). Successful attacks result in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H) within the unchanged scope (S:U), earning a CVSS v3.1 base score of 6.6.

Fortinet's PSIRT advisory FG-IR-24-091, available at https://fortiguard.fortinet.com/psirt/FG-IR-24-091, provides details on mitigation and patches for this vulnerability.

EU & UK References

Vulnerability details

A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiAnalyzer version 7.4.0 through 7.4.2, FortiManager version 7.4.0 through 7.4.2 allows attacker to escalation of privilege via specially crafted http requests.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

SQL injection directly enables privilege escalation as explicitly stated in the CVE description.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-68648Same product: Fortinet Fortianalyzer
CVE-2025-61848Same product: Fortinet Fortianalyzer
CVE-2025-48418Same product: Fortinet Fortianalyzer
CVE-2024-35273Same product: Fortinet Fortianalyzer
CVE-2024-45331Same product: Fortinet Fortianalyzer
CVE-2024-33503Same product: Fortinet Fortianalyzer
CVE-2024-46662Same product: Fortinet Fortimanager
CVE-2024-35276Same product: Fortinet Fortianalyzer
CVE-2024-50563Same product: Fortinet Fortianalyzer
CVE-2024-40584Same product: Fortinet Fortianalyzer

Affected Assets

fortinet
fortianalyzer
7.4.0 — 7.4.4
fortinet
fortianalyzer cloud
7.4.1 — 7.4.3
fortinet
fortimanager
7.4.0 — 7.4.3
fortinet
fortimanager cloud
7.4.1 — 7.4.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of information inputs to neutralize special elements and prevent SQL injection attacks like CVE-2024-35275.

prevent

Mandates identification, reporting, and correction of flaws, enabling timely patching of the SQL injection vulnerability as advised by Fortinet.

detect

Provides vulnerability scanning to identify SQL injection flaws like CVE-2024-35275 in FortiAnalyzer and FortiManager.

References