Cyber Resilience

CVE-2024-40591

High

Published: 11 February 2025

Published
11 February 2025
Modified
17 July 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0009 25.6th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-40591 is a high-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Fortinet Fortios. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 25.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-6 (Least Privilege).

Deeper analysis

CVE-2024-40591 is an incorrect privilege assignment vulnerability (CWE-266) in Fortinet FortiOS versions 7.6.0, 7.4.0 through 7.4.4, 7.2.0 through 7.2.9, and before 7.0.15. The issue affects FortiGate devices, where an authenticated admin with the Security Fabric permission in their access profile can escalate privileges to super-admin by leveraging a connection to a malicious upstream FortiGate under attacker control. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility, low complexity, and significant confidentiality, integrity, and availability impacts.

The attack requires an authenticated low-privileged administrator on the target FortiGate with Security Fabric permissions. The attacker connects the target device to another FortiGate they control as a malicious upstream device in the Security Fabric topology, enabling privilege escalation to super-admin rights. This grants full administrative control over the affected FortiGate.

Mitigation details are available in the Fortinet PSIRT advisory at https://fortiguard.fortinet.com/psirt/FG-IR-24-302.

EU & UK References

Vulnerability details

An incorrect privilege assignment vulnerability [CWE-266] in Fortinet FortiOS version 7.6.0, 7.4.0 through 7.4.4, 7.2.0 through 7.2.9 and before 7.0.15 allows an authenticated admin whose access profile has the Security Fabric permission to escalate their privileges to super-admin by connecting…

more

the targetted FortiGate to a malicious upstream FortiGate they control.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

CVE directly describes a privilege escalation vulnerability allowing an authenticated low-privileged admin to gain super-admin rights via Security Fabric feature abuse.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-64157Same product: Fortinet Fortios
CVE-2026-22153Same product: Fortinet Fortios
CVE-2024-46668Same product: Fortinet Fortios
CVE-2025-53844Same product: Fortinet Fortios
CVE-2024-46670Same product: Fortinet Fortios
CVE-2024-35279Same product: Fortinet Fortios
CVE-2025-53847Same product: Fortinet Fortios
CVE-2025-24472Same product: Fortinet Fortios
CVE-2024-55591Same product: Fortinet Fortios
CVE-2025-62676Same product class: VPN / SSL gateway

Affected Assets

fortinet
fortios
7.6.0 · 6.4.0 — 6.4.16 · 7.0.0 — 7.0.16 · 7.2.0 — 7.2.10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforcing the least privilege principle prevents assignment of Security Fabric permissions to low-privileged admins, eliminating the prerequisite for exploitation.

prevent

Timely flaw remediation through vendor patches directly eliminates the incorrect privilege assignment vulnerability in affected FortiOS versions.

prevent

Account management processes ensure privileges like Security Fabric access are appropriately assigned, reviewed, and revoked to mitigate escalation risks.

References