Cyber Posture

CVE-2024-48890

Medium

Published: 14 January 2025

Published
14 January 2025
Modified
03 February 2025
KEV Added
Patch
CVSS Score 6.6 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L
EPSS Score 0.0034 56.8th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-48890 is a medium-severity OS Command Injection (CWE-78) vulnerability in Fortinet Fortisoar Imap Connector. Its CVSS base score is 6.6 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked in the top 43.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Command and Scripting Interpreter (T1059) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly requires information input validation and neutralization of special elements in inputs to the FortiSOAR IMAP connector, preventing OS command injection via crafted playbooks.

SI-2 Flaw Remediation good match
prevent

Mandates identification, reporting, and correction of the specific OS command injection flaw in FortiSOAR IMAP connector version 3.5.7 and below through timely flaw remediation.

AC-6 Least Privilege partial match
prevent

Enforces least privilege for high-privilege authenticated users, limiting the impact and scope of unauthorized commands executed via the injection vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

OS command injection (CWE-78) in authenticated high-priv context directly enables arbitrary command execution (T1059) and exploitation for privilege escalation due to changed scope (T1068).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in FortiSOAR IMAP connector version 3.5.7 and below may allow an authenticated attacker to execute unauthorized code or commands via a specifically crafted playbook

Deeper analysisAI

CVE-2024-48890 is an improper neutralization of special elements used in an OS command, classified as an OS Command Injection vulnerability (CWE-78), affecting the FortiSOAR IMAP connector in version 3.5.7 and below. Published on 2025-01-14, it has a CVSS v3.1 base score of 6.6 (AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L).

An authenticated attacker with high privileges (PR:H) can exploit this vulnerability over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). By crafting a specific playbook, the attacker may execute unauthorized code or commands, achieving low impacts on confidentiality, integrity, and availability with a changed scope (S:C).

The Fortinet PSIRT advisory provides details on mitigation; see https://fortiguard.fortinet.com/psirt/FG-IR-24-415.

Details

CWE(s)
CWE-78

Affected Products

fortinet
fortisoar imap connector
≤ 3.5.8

CVEs Like This One

CVE-2025-66178Same vendor: Fortinet
CVE-2026-25836Same vendor: Fortinet
CVE-2024-27778Same vendor: Fortinet
CVE-2024-54018Same vendor: Fortinet
CVE-2024-55590Same vendor: Fortinet
CVE-2024-40584Same vendor: Fortinet
CVE-2024-50569Same vendor: Fortinet
CVE-2024-50566Same vendor: Fortinet
CVE-2026-39808Same vendor: Fortinet
CVE-2024-26012Same vendor: Fortinet

References