Cyber Resilience

CVE-2024-45331

High

Published: 16 January 2025

Published
16 January 2025
Modified
03 February 2025
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0018 39.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-45331 is a high-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Fortinet Fortianalyzer. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 39.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2024-45331 is an incorrect privilege assignment vulnerability (CWE-266) present in multiple Fortinet products. It affects FortiAnalyzer versions 7.4.0 through 7.4.3, 7.2.0 through 7.2.5, 7.0.0 through 7.0.13, and 6.4.0 through 6.4.15; FortiManager versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.5, 7.0.0 through 7.0.13, and 6.4.0 through 6.4.15; and FortiAnalyzer Cloud versions 7.4.1 through 7.4.2, 7.2.1 through 7.2.6, 7.0.1 through 7.0.13, and 6.4.1 through 6.4.7. The flaw enables privilege escalation when an attacker executes specific shell commands, as disclosed in the NVD on 2025-01-16.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L), provided they have local access (AV:L) and user interaction is possible (UI:R). Successful exploitation allows escalation of privileges, resulting in high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) within the unchanged scope (S:U), earning a CVSS v3.1 base score of 7.3.

Mitigation guidance is available in the Fortinet PSIRT advisory FG-IR-24-127 at https://fortiguard.fortinet.com/psirt/FG-IR-24-127.

EU & UK References

Vulnerability details

A incorrect privilege assignment in Fortinet FortiAnalyzer versions 7.4.0 through 7.4.3, 7.2.0 through 7.2.5, 7.0.0 through 7.0.13, 6.4.0 through 6.4.15, FortiManager versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.5, 7.0.0 through 7.0.13, 6.4.0 through 6.4.15, FortiAnalyzer Cloud versions 7.4.1 through 7.4.2,…

more

7.2.1 through 7.2.6, 7.0.1 through 7.0.13, 6.4.1 through 6.4.7 allows attacker to escalate privilege via specific shell commands

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Direct local privilege escalation via shell command execution on Linux-based Fortinet appliances.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-33503Same product: Fortinet Fortianalyzer
CVE-2024-35273Same product: Fortinet Fortianalyzer
CVE-2024-35275Same product: Fortinet Fortianalyzer
CVE-2025-48418Same product: Fortinet Fortianalyzer
CVE-2025-68648Same product: Fortinet Fortianalyzer
CVE-2024-50563Same product: Fortinet Fortianalyzer
CVE-2024-35276Same product: Fortinet Fortianalyzer
CVE-2025-61848Same product: Fortinet Fortianalyzer
CVE-2024-40584Same product: Fortinet Fortianalyzer
CVE-2024-40591Same vendor: Fortinet

Affected Assets

fortinet
fortianalyzer
6.4.0 — 7.2.6 · 7.4.0 — 7.4.4
fortinet
fortianalyzer cloud
6.4.1 — 7.2.7 · 7.4.1 — 7.4.3
fortinet
fortimanager
6.4.0 — 7.2.6 · 7.4.0 — 7.4.4
fortinet
fortimanager cloud
7.0.1 — 7.2.7 · 7.4.1 — 7.4.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-6 enforces least privilege by ensuring accounts and processes receive only the minimum access rights needed, directly preventing privilege escalation via incorrectly assigned shell command privileges.

prevent

AC-3 requires systems to enforce approved access control policies, blocking unauthorized privilege escalations when specific shell commands are executed.

prevent

AC-2 mandates proper account management and privilege allocation procedures, reducing the likelihood of incorrect privilege assignments that enable shell-based escalation.

References