Cyber Resilience

CVE-2024-45324

High

Published: 11 March 2025

Published
11 March 2025
Modified
24 July 2025
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0022 44.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-45324 is a high-severity Use of Externally-Controlled Format String (CWE-134) vulnerability in Fortinet Fortios. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 44.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-45324 is a use of externally-controlled format string vulnerability (CWE-134) affecting multiple Fortinet products. It impacts FortiOS versions 7.4.0 through 7.4.4, 7.2.0 through 7.2.9, 7.0.0 through 7.0.15 and before 6.4.15; FortiProxy versions 7.4.0 through 7.4.6, 7.2.0 through 7.2.12 and before 7.0.19; FortiPAM versions 1.4.0 through 1.4.2 and before 1.3.1; FortiSRA versions 1.4.0 through 1.4.2 and before 1.3.1; and FortiWeb versions 7.4.0 through 7.4.5, 7.2.0 through 7.2.10 and before 7.0.10.

The vulnerability can be exploited by a privileged attacker with high privileges (PR:H) over the network (AV:N) using low-complexity attacks (AC:L) that require no user interaction (UI:N). By sending specially crafted HTTP or HTTPS commands, the attacker can execute unauthorized code or commands, resulting in high impacts to confidentiality, integrity, and availability (CVSS 7.2; CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

Fortinet's PSIRT advisory FG-IR-24-325 (https://fortiguard.fortinet.com/psirt/FG-IR-24-325) provides details on mitigation and patches for the affected versions.

EU & UK References

Vulnerability details

A use of externally-controlled format string vulnerability [CWE-134] in FortiOS version 7.4.0 through 7.4.4, version 7.2.0 through 7.2.9, version 7.0.0 through 7.0.15 and before 6.4.15, FortiProxy version 7.4.0 through 7.4.6, version 7.2.0 through 7.2.12 and before 7.0.19, FortiPAM version 1.4.0…

more

through 1.4.2 and before 1.3.1, FortiSRA version 1.4.0 through 1.4.2 and before 1.3.1 and FortiWeb version 7.4.0 through 7.4.5, version 7.2.0 through 7.2.10 and before 7.0.10 allows a privileged attacker to execute unauthorized code or commands via specially crafted HTTP or HTTPS commands.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The CVE describes a network-accessible RCE vulnerability in public-facing Fortinet web management interfaces (HTTP/HTTPS), directly enabling exploitation of public-facing applications for code/command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-26009Same product: Fortinet Fortios
CVE-2025-24472Same product: Fortinet Fortios
CVE-2024-55591Same product: Fortinet Fortios
CVE-2025-64157Same product: Fortinet Fortios
CVE-2024-35279Same product: Fortinet Fortios
CVE-2025-53847Same product: Fortinet Fortios
CVE-2024-26006Same product: Fortinet Fortios
CVE-2025-25249Same product: Fortinet Fortios
CVE-2025-59718Same product: Fortinet Fortios
CVE-2024-48884Same product: Fortinet Fortios

Affected Assets

fortinet
fortios
6.2.0 — 6.2.17 · 6.4.0 — 6.4.16 · 7.0.0 — 7.0.16
fortinet
fortipam
1.0.0 — 1.3.1 · 1.4.0 — 1.4.3
fortinet
fortiproxy
7.6.0 · 7.0.0 — 7.0.20 · 7.2.0 — 7.2.13 · 7.4.0 — 7.4.7
fortinet
fortiweb
7.6.0 · 7.0.0 — 7.0.11 · 7.2.0 — 7.2.11 · 7.4.0 — 7.4.6
fortinet
fortisra
1.4.0 — 1.4.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the format string vulnerability by applying vendor patches for affected Fortinet products as specified in the advisory.

prevent

Validates externally-controlled inputs in HTTP/HTTPS commands to block specially crafted format strings from reaching vulnerable parsing functions.

prevent

Provides memory protections such as ASLR and DEP to mitigate arbitrary code execution even if a format string vulnerability is exploited.

References