CVE-2024-45331
Published: 16 January 2025
Summary
CVE-2024-45331 is a high-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Fortinet Fortianalyzer. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 39.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2024-45331 is an incorrect privilege assignment vulnerability (CWE-266) present in multiple Fortinet products. It affects FortiAnalyzer versions 7.4.0 through 7.4.3, 7.2.0 through 7.2.5, 7.0.0 through 7.0.13, and 6.4.0 through 6.4.15; FortiManager versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.5, 7.0.0 through 7.0.13, and 6.4.0 through 6.4.15; and FortiAnalyzer Cloud versions 7.4.1 through 7.4.2, 7.2.1 through 7.2.6, 7.0.1 through 7.0.13, and 6.4.1 through 6.4.7. The flaw enables privilege escalation when an attacker executes specific shell commands, as disclosed in the NVD on 2025-01-16.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L), provided they have local access (AV:L) and user interaction is possible (UI:R). Successful exploitation allows escalation of privileges, resulting in high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) within the unchanged scope (S:U), earning a CVSS v3.1 base score of 7.3.
Mitigation guidance is available in the Fortinet PSIRT advisory FG-IR-24-127 at https://fortiguard.fortinet.com/psirt/FG-IR-24-127.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-41276
Vulnerability details
A incorrect privilege assignment in Fortinet FortiAnalyzer versions 7.4.0 through 7.4.3, 7.2.0 through 7.2.5, 7.0.0 through 7.0.13, 6.4.0 through 6.4.15, FortiManager versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.5, 7.0.0 through 7.0.13, 6.4.0 through 6.4.15, FortiAnalyzer Cloud versions 7.4.1 through 7.4.2,…
more
7.2.1 through 7.2.6, 7.0.1 through 7.0.13, 6.4.1 through 6.4.7 allows attacker to escalate privilege via specific shell commands
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct local privilege escalation via shell command execution on Linux-based Fortinet appliances.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-6 enforces least privilege by ensuring accounts and processes receive only the minimum access rights needed, directly preventing privilege escalation via incorrectly assigned shell command privileges.
AC-3 requires systems to enforce approved access control policies, blocking unauthorized privilege escalations when specific shell commands are executed.
AC-2 mandates proper account management and privilege allocation procedures, reducing the likelihood of incorrect privilege assignments that enable shell-based escalation.