CVE-2024-48884

High

Published: 14 January 2025

Published

14 January 2025

Modified

14 January 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.3929 97.3th percentile

Risk Priority 39 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-48884 is a high-severity Path Traversal (CWE-22) vulnerability in Fortinet Fortios. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly validates file path inputs to ensure they remain within authorized directories, preventing path traversal exploitation.

SI-2 Flaw Remediation good match

prevent

Mandates timely flaw remediation, including patching this specific path traversal vulnerability as detailed in the vendor advisory.

AC-3 Access Enforcement partial match

prevent

Enforces logical access controls on file system resources to block unauthorized writes or deletes attempted via traversed paths.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1105 Ingress Tool Transfer Command And Control

Adversaries may transfer tools or other files from an external system into a compromised environment.

attack.mitre.org →

T1070.004 File Deletion Stealth

Adversaries may delete files left behind by the actions of their intrusion activity.

attack.mitre.org →

Why these techniques?

Path traversal enables remote unauthenticated exploitation of exposed Fortinet interfaces (T1190), authenticated arbitrary file write for tool transfer (T1105), and unauthenticated arbitrary folder deletion (T1070.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiManager 7.6.0 through 7.6.1, FortiManager 7.4.1 through 7.4.3, FortiManager Cloud 7.4.1 through 7.4.3, FortiOS 7.6.0, FortiOS 7.4.0 through 7.4.4, FortiOS 7.2.0 through 7.2.9, FortiOS 7.0.0…

through 7.0.15, FortiOS 6.4.0 through 6.4.15, FortiProxy 7.4.0 through 7.4.5, FortiProxy 7.2.0 through 7.2.11, FortiProxy 7.0.0 through 7.0.18, FortiProxy 2.0 all versions, FortiProxy 1.2 all versions, FortiProxy 1.1 all versions, FortiProxy 1.0 all versions may allow a remote authenticated attacker with access to the security fabric interface and port to write arbitrary files or a remote unauthenticated attacker to delete an arbitrary folder

Deeper analysisAI

CVE-2024-48884 is a path traversal vulnerability (CWE-22) stemming from improper limitation of a pathname to a restricted directory. It affects Fortinet FortiManager versions 7.6.0 through 7.6.1 and 7.4.1 through 7.4.3, FortiManager Cloud 7.4.1 through 7.4.3, FortiOS versions 7.6.0, 7.4.0 through 7.4.4, 7.2.0 through 7.2.9, 7.0.0 through 7.0.15, and 6.4.0 through 6.4.15, as well as FortiProxy versions 7.4.0 through 7.4.5, 7.2.0 through 7.2.11, 7.0.0 through 7.0.18, and all versions of 2.0, 1.2, 1.1, and 1.0.

A remote authenticated attacker with access to the security fabric interface and port can exploit this vulnerability to write arbitrary files, while a remote unauthenticated attacker can delete an arbitrary folder. The CVSS v3.1 base score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), reflecting network accessibility, low attack complexity, no privileges required, and high availability impact.

Mitigation details are provided in the Fortinet PSIRT advisory FG-IR-24-259, available at https://fortiguard.fortinet.com/psirt/FG-IR-24-259.

Details

CWE(s): CWE-22

Affected Products

fortinet

fortimanager

7.4.1 — 7.4.4 · 7.6.0 — 7.6.2

fortinet

fortimanager cloud

7.4.1 — 7.4.4

fortinet

fortiproxy

1.0.0 — 7.0.19 · 7.2.0 — 7.2.12 · 7.4.0 — 7.4.6

fortinet

fortirecorder

7.0.0 — 7.0.5 · 7.2.0 — 7.2.2

fortinet

fortivoice

6.0.0 — 6.4.10 · 7.0.0 — 7.0.5

fortinet

fortiweb

7.6.0 · 6.4.0 — 7.4.5

fortinet

fortios

7.6.0 · 6.4.0 — 6.4.16 · 7.0.0 — 7.0.16 · 7.2.0 — 7.2.10

CVEs Like This One

CVE-2026-24858Same product: Fortinet Fortimanager

CVE-2024-48886Same product: Fortinet Fortimanager

CVE-2024-45324Same product: Fortinet Fortios

CVE-2025-24472Same product: Fortinet Fortios

CVE-2024-55591Same product: Fortinet Fortios

CVE-2024-26006Same product: Fortinet Fortios

CVE-2025-59718Same product: Fortinet Fortios

CVE-2025-53847Same product: Fortinet Fortios

CVE-2025-25249Same product: Fortinet Fortios

CVE-2026-22153Same product: Fortinet Fortios

References

https://fortiguard.fortinet.com/psirt/FG-IR-24-259
Vendor Advisory · psirt@fortinet.com