CVE-2024-40584
Published: 11 February 2025
Summary
CVE-2024-40584 is a high-severity OS Command Injection (CWE-78) vulnerability in Fortinet Fortimanager Cloud. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-40584 is an improper neutralization of special elements used in an OS command, classified as an OS Command Injection vulnerability (CWE-78), affecting the GUI in multiple Fortinet products. The impacted software includes FortiAnalyzer versions 7.4.0 through 7.4.3, 7.2.0 through 7.2.5, 7.0.0 through 7.0.13, 6.4.0 through 6.4.15, and 6.2.2 through 6.2.13; FortiManager versions 7.4.0 through 7.4.3, 7.2.0 through 7.2.5, 7.0.0 through 7.0.13, 6.4.0 through 6.4.15, and 6.2.2 through 6.2.13; FortiAnalyzer BigData versions 7.4.0, 7.2.0 through 7.2.7, 7.0.1 through 7.0.6, 6.4.5 through 6.4.7, and 6.2.5; FortiAnalyzer Cloud versions 7.4.1 through 7.4.3, 7.2.1 through 7.2.5, 7.0.1 through 7.0.13, and 6.4.1 through 6.4.7; and FortiManager Cloud versions 7.4.1 through 7.4.3, 7.2.1 through 7.2.5, 7.0.1 through 7.0.13, and 6.4.1 through 6.4.7.
An authenticated privileged attacker (PR:H) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N) by sending crafted HTTPS or HTTP requests to the GUI, enabling execution of unauthorized code or commands. The vulnerability has a CVSS v3.1 base score of 7.2 (C:H/I:H/A:H/S:U), indicating high impacts on confidentiality, integrity, and availability within the unchanged security scope.
Mitigation details are available in the Fortinet product security incident response team advisory at https://fortiguard.fortinet.com/psirt/FG-IR-24-220.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4974
Vulnerability details
An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in Fortinet FortiAnalyzer version 7.4.0 through 7.4.3, 7.2.0 through 7.2.5, 7.0.0 through 7.0.13, 6.4.0 through 6.4.15 and 6.2.2 through 6.2.13, Fortinet FortiManager version 7.4.0…
more
through 7.4.3, 7.2.0 through 7.2.5, 7.0.0 through 7.0.13, 6.4.0 through 6.4.15 and 6.2.2 through 6.2.13, Fortinet FortiAnalyzer BigData version 7.4.0, 7.2.0 through 7.2.7, 7.0.1 through 7.0.6, 6.4.5 through 6.4.7 and 6.2.5, Fortinet FortiAnalyzer Cloud version 7.4.1 through 7.4.3, 7.2.1 through 7.2.5, 7.0.1 through 7.0.13 and 6.4.1 through 6.4.7 and Fortinet FortiManager Cloud version 7.4.1 through 7.4.3, 7.2.1 through 7.2.5, 7.0.1 through 7.0.13 and 6.4.1 through 6.4.7 GUI allows an authenticated privileged attacker to execute unauthorized code or commands via crafted HTTPS or HTTP requests.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in network-exposed GUI directly enables remote code/command execution via crafted requests to a public-facing application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates OS command injection by requiring validation and neutralization of special elements in crafted GUI inputs used for OS commands.
Requires timely flaw remediation through vendor patches for this specific command injection vulnerability in Fortinet GUI components.
Reduces impact of unauthorized command execution by privileged attackers through enforcement of least privilege on GUI and OS command access.