Cyber Posture

CVE-2024-35275

Medium

Published: 14 January 2025

Published
14 January 2025
Modified
31 January 2025
KEV Added
Patch
CVSS Score 6.6 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0017 37.4th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-35275 is a medium-severity SQL Injection (CWE-89) vulnerability in Fortinet Fortianalyzer. Its CVSS base score is 6.6 (Medium).

Operationally, ranked at the 37.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly requires validation and sanitization of information inputs to neutralize special elements and prevent SQL injection attacks like CVE-2024-35275.

SI-2 Flaw Remediation good match
prevent

Mandates identification, reporting, and correction of flaws, enabling timely patching of the SQL injection vulnerability as advised by Fortinet.

RA-5 Vulnerability Monitoring and Scanning partial match
detect

Provides vulnerability scanning to identify SQL injection flaws like CVE-2024-35275 in FortiAnalyzer and FortiManager.

NVD Description

A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiAnalyzer version 7.4.0 through 7.4.2, FortiManager version 7.4.0 through 7.4.2 allows attacker to escalation of privilege via specially crafted http requests.

Deeper analysisAI

CVE-2024-35275 is an SQL injection vulnerability (CWE-89) due to improper neutralization of special elements used in an SQL command. It affects Fortinet FortiAnalyzer versions 7.4.0 through 7.4.2 and FortiManager versions 7.4.0 through 7.4.2. The flaw allows attackers to achieve privilege escalation via specially crafted HTTP requests.

Exploitation is possible over the network (AV:N) by an attacker with high privileges (PR:H) on the affected system, though it requires high attack complexity (AC:H) and no user interaction (UI:N). Successful attacks result in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H) within the unchanged scope (S:U), earning a CVSS v3.1 base score of 6.6.

Fortinet's PSIRT advisory FG-IR-24-091, available at https://fortiguard.fortinet.com/psirt/FG-IR-24-091, provides details on mitigation and patches for this vulnerability.

Details

CWE(s)
CWE-89

Affected Products

fortinet
fortianalyzer
7.4.0 — 7.4.4
fortinet
fortianalyzer cloud
7.4.1 — 7.4.3
fortinet
fortimanager
7.4.0 — 7.4.3
fortinet
fortimanager cloud
7.4.1 — 7.4.3

CVEs Like This One

CVE-2025-61848Same product: Fortinet Fortianalyzer
CVE-2024-50563Same product: Fortinet Fortianalyzer
CVE-2024-35276Same product: Fortinet Fortianalyzer
CVE-2024-33503Same product: Fortinet Fortianalyzer
CVE-2024-35273Same product: Fortinet Fortianalyzer
CVE-2025-68648Same product: Fortinet Fortianalyzer
CVE-2025-48418Same product: Fortinet Fortianalyzer
CVE-2024-45331Same product: Fortinet Fortianalyzer
CVE-2024-40584Same product: Fortinet Fortianalyzer
CVE-2026-22572Same product: Fortinet Fortianalyzer

References