CVE-2024-46668

High

Published: 14 January 2025

Published

14 January 2025

Modified

31 January 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0216 84.4th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-46668 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Fortinet Fortios. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 15.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-5 Denial-of-service Protection good match

prevent

SC-5 directly prevents denial-of-service attacks, including memory exhaustion from unlimited large file uploads, through mechanisms like rate limiting and throttling.

SC-6 Resource Availability good match

prevent

SC-6 protects system resource availability, such as memory, by enforcing allocation limits and preventing unauthorized consumption via excessive uploads.

SI-9 Information Input Restrictions good match

prevent

SI-9 restricts information inputs, including limiting file sizes and upload volumes, to mitigate resource exhaustion from multiple large unauthenticated file uploads.

NVD Description

An allocation of resources without limits or throttling vulnerability [CWE-770] in FortiOS versions 7.4.0 through 7.4.4, versions 7.2.0 through 7.2.8, versions 7.0.0 through 7.0.15, and versions 6.4.0 through 6.4.15 may allow an unauthenticated remote user to consume all system memory…

via multiple large file uploads.

Deeper analysisAI

CVE-2024-46668 is an allocation of resources without limits or throttling vulnerability (CWE-770) affecting FortiOS versions 7.4.0 through 7.4.4, 7.2.0 through 7.2.8, 7.0.0 through 7.0.15, and 6.4.0 through 6.4.15. It enables an unauthenticated remote user to exhaust system memory through multiple large file uploads, earning a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

An unauthenticated attacker with network access can exploit this flaw by sending numerous oversized files to the affected FortiOS instances, leading to complete memory consumption and potential denial-of-service conditions that disrupt device functionality.

Fortinet's advisory FG-IR-24-219 provides details on the vulnerability, affected versions, and recommended mitigation steps, including upgrading to patched releases outside the vulnerable ranges.

Details

CWE(s): CWE-770

Affected Products

fortinet

fortios

6.4.0 — 6.4.16 · 7.0.0 — 7.0.16 · 7.2.0 — 7.2.9

CVEs Like This One

CVE-2026-22153Same product: Fortinet Fortios

CVE-2025-53847Same product: Fortinet Fortios

CVE-2024-40591Same product: Fortinet Fortios

CVE-2025-64157Same product: Fortinet Fortios

CVE-2024-46670Same product: Fortinet Fortios

CVE-2024-35279Same product: Fortinet Fortios

CVE-2024-26006Same product: Fortinet Fortios

CVE-2025-24472Same product: Fortinet Fortios

CVE-2024-55591Same product: Fortinet Fortios

CVE-2025-25249Same product: Fortinet Fortios

References

https://fortiguard.fortinet.com/psirt/FG-IR-24-219
Vendor Advisory · psirt@fortinet.com