Cyber Posture

CVE-2024-45331

High

Published: 16 January 2025

Published
16 January 2025
Modified
03 February 2025
KEV Added
Patch
CVSS Score 7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0018 38.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-45331 is a high-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Fortinet Fortianalyzer. Its CVSS base score is 7.3 (High).

Operationally, ranked at the 38.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-6 Least Privilege good match
prevent

AC-6 enforces least privilege by ensuring accounts and processes receive only the minimum access rights needed, directly preventing privilege escalation via incorrectly assigned shell command privileges.

AC-3 Access Enforcement good match
prevent

AC-3 requires systems to enforce approved access control policies, blocking unauthorized privilege escalations when specific shell commands are executed.

AC-2 Account Management partial match
prevent

AC-2 mandates proper account management and privilege allocation procedures, reducing the likelihood of incorrect privilege assignments that enable shell-based escalation.

NVD Description

A incorrect privilege assignment in Fortinet FortiAnalyzer versions 7.4.0 through 7.4.3, 7.2.0 through 7.2.5, 7.0.0 through 7.0.13, 6.4.0 through 6.4.15, FortiManager versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.5, 7.0.0 through 7.0.13, 6.4.0 through 6.4.15, FortiAnalyzer Cloud versions 7.4.1 through 7.4.2,…

more

7.2.1 through 7.2.6, 7.0.1 through 7.0.13, 6.4.1 through 6.4.7 allows attacker to escalate privilege via specific shell commands

Deeper analysisAI

CVE-2024-45331 is an incorrect privilege assignment vulnerability (CWE-266) present in multiple Fortinet products. It affects FortiAnalyzer versions 7.4.0 through 7.4.3, 7.2.0 through 7.2.5, 7.0.0 through 7.0.13, and 6.4.0 through 6.4.15; FortiManager versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.5, 7.0.0 through 7.0.13, and 6.4.0 through 6.4.15; and FortiAnalyzer Cloud versions 7.4.1 through 7.4.2, 7.2.1 through 7.2.6, 7.0.1 through 7.0.13, and 6.4.1 through 6.4.7. The flaw enables privilege escalation when an attacker executes specific shell commands, as disclosed in the NVD on 2025-01-16.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L), provided they have local access (AV:L) and user interaction is possible (UI:R). Successful exploitation allows escalation of privileges, resulting in high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) within the unchanged scope (S:U), earning a CVSS v3.1 base score of 7.3.

Mitigation guidance is available in the Fortinet PSIRT advisory FG-IR-24-127 at https://fortiguard.fortinet.com/psirt/FG-IR-24-127.

Details

CWE(s)
CWE-266NVD-CWE-noinfo

Affected Products

fortinet
fortianalyzer
6.4.0 — 7.2.6 · 7.4.0 — 7.4.4
fortinet
fortianalyzer cloud
6.4.1 — 7.2.7 · 7.4.1 — 7.4.3
fortinet
fortimanager
6.4.0 — 7.2.6 · 7.4.0 — 7.4.4
fortinet
fortimanager cloud
7.0.1 — 7.2.7 · 7.4.1 — 7.4.4

CVEs Like This One

CVE-2024-33503Same product: Fortinet Fortianalyzer
CVE-2024-35275Same product: Fortinet Fortianalyzer
CVE-2025-68648Same product: Fortinet Fortianalyzer
CVE-2024-35273Same product: Fortinet Fortianalyzer
CVE-2024-50563Same product: Fortinet Fortianalyzer
CVE-2025-61848Same product: Fortinet Fortianalyzer
CVE-2025-48418Same product: Fortinet Fortianalyzer
CVE-2024-35276Same product: Fortinet Fortianalyzer
CVE-2024-40584Same product: Fortinet Fortianalyzer
CVE-2026-22572Same product: Fortinet Fortianalyzer

References