CVE-2024-40584
Published: 11 February 2025
Summary
CVE-2024-40584 is a high-severity OS Command Injection (CWE-78) vulnerability in Fortinet Fortimanager Cloud. Its CVSS base score is 7.2 (High).
Operationally, ranked at the 29.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates OS command injection by requiring validation and neutralization of special elements in crafted GUI inputs used for OS commands.
Requires timely flaw remediation through vendor patches for this specific command injection vulnerability in Fortinet GUI components.
Reduces impact of unauthorized command execution by privileged attackers through enforcement of least privilege on GUI and OS command access.
NVD Description
An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in Fortinet FortiAnalyzer version 7.4.0 through 7.4.3, 7.2.0 through 7.2.5, 7.0.0 through 7.0.13, 6.4.0 through 6.4.15 and 6.2.2 through 6.2.13, Fortinet FortiManager version 7.4.0…
more
through 7.4.3, 7.2.0 through 7.2.5, 7.0.0 through 7.0.13, 6.4.0 through 6.4.15 and 6.2.2 through 6.2.13, Fortinet FortiAnalyzer BigData version 7.4.0, 7.2.0 through 7.2.7, 7.0.1 through 7.0.6, 6.4.5 through 6.4.7 and 6.2.5, Fortinet FortiAnalyzer Cloud version 7.4.1 through 7.4.3, 7.2.1 through 7.2.5, 7.0.1 through 7.0.13 and 6.4.1 through 6.4.7 and Fortinet FortiManager Cloud version 7.4.1 through 7.4.3, 7.2.1 through 7.2.5, 7.0.1 through 7.0.13 and 6.4.1 through 6.4.7 GUI allows an authenticated privileged attacker to execute unauthorized code or commands via crafted HTTPS or HTTP requests.
Deeper analysisAI
CVE-2024-40584 is an improper neutralization of special elements used in an OS command, classified as an OS Command Injection vulnerability (CWE-78), affecting the GUI in multiple Fortinet products. The impacted software includes FortiAnalyzer versions 7.4.0 through 7.4.3, 7.2.0 through 7.2.5, 7.0.0 through 7.0.13, 6.4.0 through 6.4.15, and 6.2.2 through 6.2.13; FortiManager versions 7.4.0 through 7.4.3, 7.2.0 through 7.2.5, 7.0.0 through 7.0.13, 6.4.0 through 6.4.15, and 6.2.2 through 6.2.13; FortiAnalyzer BigData versions 7.4.0, 7.2.0 through 7.2.7, 7.0.1 through 7.0.6, 6.4.5 through 6.4.7, and 6.2.5; FortiAnalyzer Cloud versions 7.4.1 through 7.4.3, 7.2.1 through 7.2.5, 7.0.1 through 7.0.13, and 6.4.1 through 6.4.7; and FortiManager Cloud versions 7.4.1 through 7.4.3, 7.2.1 through 7.2.5, 7.0.1 through 7.0.13, and 6.4.1 through 6.4.7.
An authenticated privileged attacker (PR:H) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N) by sending crafted HTTPS or HTTP requests to the GUI, enabling execution of unauthorized code or commands. The vulnerability has a CVSS v3.1 base score of 7.2 (C:H/I:H/A:H/S:U), indicating high impacts on confidentiality, integrity, and availability within the unchanged security scope.
Mitigation details are available in the Fortinet product security incident response team advisory at https://fortiguard.fortinet.com/psirt/FG-IR-24-220.
Details
- CWE(s)