Cyber Resilience

CVE-2024-40584

HighRCE

Published: 11 February 2025

Published
11 February 2025
Modified
22 July 2025
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0012 30.6th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-40584 is a high-severity OS Command Injection (CWE-78) vulnerability in Fortinet Fortimanager Cloud. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-40584 is an improper neutralization of special elements used in an OS command, classified as an OS Command Injection vulnerability (CWE-78), affecting the GUI in multiple Fortinet products. The impacted software includes FortiAnalyzer versions 7.4.0 through 7.4.3, 7.2.0 through 7.2.5, 7.0.0 through 7.0.13, 6.4.0 through 6.4.15, and 6.2.2 through 6.2.13; FortiManager versions 7.4.0 through 7.4.3, 7.2.0 through 7.2.5, 7.0.0 through 7.0.13, 6.4.0 through 6.4.15, and 6.2.2 through 6.2.13; FortiAnalyzer BigData versions 7.4.0, 7.2.0 through 7.2.7, 7.0.1 through 7.0.6, 6.4.5 through 6.4.7, and 6.2.5; FortiAnalyzer Cloud versions 7.4.1 through 7.4.3, 7.2.1 through 7.2.5, 7.0.1 through 7.0.13, and 6.4.1 through 6.4.7; and FortiManager Cloud versions 7.4.1 through 7.4.3, 7.2.1 through 7.2.5, 7.0.1 through 7.0.13, and 6.4.1 through 6.4.7.

An authenticated privileged attacker (PR:H) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N) by sending crafted HTTPS or HTTP requests to the GUI, enabling execution of unauthorized code or commands. The vulnerability has a CVSS v3.1 base score of 7.2 (C:H/I:H/A:H/S:U), indicating high impacts on confidentiality, integrity, and availability within the unchanged security scope.

Mitigation details are available in the Fortinet product security incident response team advisory at https://fortiguard.fortinet.com/psirt/FG-IR-24-220.

EU & UK References

Vulnerability details

An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in Fortinet FortiAnalyzer version 7.4.0 through 7.4.3, 7.2.0 through 7.2.5, 7.0.0 through 7.0.13, 6.4.0 through 6.4.15 and 6.2.2 through 6.2.13, Fortinet FortiManager version 7.4.0…

more

through 7.4.3, 7.2.0 through 7.2.5, 7.0.0 through 7.0.13, 6.4.0 through 6.4.15 and 6.2.2 through 6.2.13, Fortinet FortiAnalyzer BigData version 7.4.0, 7.2.0 through 7.2.7, 7.0.1 through 7.0.6, 6.4.5 through 6.4.7 and 6.2.5, Fortinet FortiAnalyzer Cloud version 7.4.1 through 7.4.3, 7.2.1 through 7.2.5, 7.0.1 through 7.0.13 and 6.4.1 through 6.4.7 and Fortinet FortiManager Cloud version 7.4.1 through 7.4.3, 7.2.1 through 7.2.5, 7.0.1 through 7.0.13 and 6.4.1 through 6.4.7 GUI allows an authenticated privileged attacker to execute unauthorized code or commands via crafted HTTPS or HTTP requests.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

OS command injection in network-exposed GUI directly enables remote code/command execution via crafted requests to a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-35276Same product: Fortinet Fortianalyzer
CVE-2025-61848Same product: Fortinet Fortianalyzer
CVE-2024-50566Same product: Fortinet Fortimanager
CVE-2024-50563Same product: Fortinet Fortianalyzer
CVE-2024-36512Same product: Fortinet Fortianalyzer
CVE-2024-33502Same product: Fortinet Fortianalyzer
CVE-2026-22828Same product: Fortinet Fortianalyzer Cloud
CVE-2025-49784Same product: Fortinet Fortianalyzer
CVE-2024-35277Same product: Fortinet Fortimanager
CVE-2026-22572Same product: Fortinet Fortianalyzer

Affected Assets

fortinet
fortimanager cloud
6.4.1 — 7.0.14 · 7.2.1 — 7.2.6 · 7.4.1 — 7.4.4
fortinet
fortimanager
6.2.2 — 6.2.13 · 6.4.0 — 7.2.6 · 7.4.0 — 7.4.4
fortinet
fortianalyzer big data
7.4.0 · 6.2.1 — 7.2.8
fortinet
fortianalyzer cloud
6.4.1 — 7.2.6 · 7.4.1 — 7.4.4
fortinet
fortianalyzer
6.2.2 — 7.2.6 · 7.4.0 — 7.4.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates OS command injection by requiring validation and neutralization of special elements in crafted GUI inputs used for OS commands.

prevent

Requires timely flaw remediation through vendor patches for this specific command injection vulnerability in Fortinet GUI components.

prevent

Reduces impact of unauthorized command execution by privileged attackers through enforcement of least privilege on GUI and OS command access.

References