CVE-2024-40591

High

Published: 11 February 2025

Published

11 February 2025

Modified

17 July 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0009 25.4th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-40591 is a high-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Fortinet Fortios. Its CVSS base score is 8.8 (High).

Operationally, ranked at the 25.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-6 Least Privilege good match

prevent

Enforcing the least privilege principle prevents assignment of Security Fabric permissions to low-privileged admins, eliminating the prerequisite for exploitation.

SI-2 Flaw Remediation good match

prevent

Timely flaw remediation through vendor patches directly eliminates the incorrect privilege assignment vulnerability in affected FortiOS versions.

AC-2 Account Management good match

prevent

Account management processes ensure privileges like Security Fabric access are appropriately assigned, reviewed, and revoked to mitigate escalation risks.

NVD Description

An incorrect privilege assignment vulnerability [CWE-266] in Fortinet FortiOS version 7.6.0, 7.4.0 through 7.4.4, 7.2.0 through 7.2.9 and before 7.0.15 allows an authenticated admin whose access profile has the Security Fabric permission to escalate their privileges to super-admin by connecting…

the targetted FortiGate to a malicious upstream FortiGate they control.

Deeper analysisAI

CVE-2024-40591 is an incorrect privilege assignment vulnerability (CWE-266) in Fortinet FortiOS versions 7.6.0, 7.4.0 through 7.4.4, 7.2.0 through 7.2.9, and before 7.0.15. The issue affects FortiGate devices, where an authenticated admin with the Security Fabric permission in their access profile can escalate privileges to super-admin by leveraging a connection to a malicious upstream FortiGate under attacker control. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility, low complexity, and significant confidentiality, integrity, and availability impacts.

The attack requires an authenticated low-privileged administrator on the target FortiGate with Security Fabric permissions. The attacker connects the target device to another FortiGate they control as a malicious upstream device in the Security Fabric topology, enabling privilege escalation to super-admin rights. This grants full administrative control over the affected FortiGate.

Mitigation details are available in the Fortinet PSIRT advisory at https://fortiguard.fortinet.com/psirt/FG-IR-24-302.

Details

CWE(s): CWE-266

Affected Products

fortinet

fortios

7.6.0 · 6.4.0 — 6.4.16 · 7.0.0 — 7.0.16 · 7.2.0 — 7.2.10

CVEs Like This One

CVE-2026-22153Same product: Fortinet Fortios

CVE-2025-64157Same product: Fortinet Fortios

CVE-2024-46668Same product: Fortinet Fortios

CVE-2024-46670Same product: Fortinet Fortios

CVE-2024-35279Same product: Fortinet Fortios

CVE-2025-53847Same product: Fortinet Fortios

CVE-2024-26006Same product: Fortinet Fortios

CVE-2025-24472Same product: Fortinet Fortios

CVE-2024-55591Same product: Fortinet Fortios

CVE-2025-59718Same product: Fortinet Fortios

References

https://fortiguard.fortinet.com/psirt/FG-IR-24-302
Vendor Advisory · psirt@fortinet.com