CVE-2024-33503
Published: 14 January 2025
Description
A improper privilege management in Fortinet FortiManager version 7.4.0 through 7.4.3, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14, FortiAnalyzer version 7.4.0 through 7.4.2, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14 allows attacker to escalation of privilege via specific shell commands
Security Summary
CVE-2024-33503 is an improper privilege management vulnerability (CWE-266) affecting Fortinet FortiManager versions 7.4.0 through 7.4.3, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, and 6.4.0 through 6.4.14, as well as FortiAnalyzer versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, and 6.4.0 through 6.4.14. The issue enables privilege escalation through the execution of specific shell commands, with a CVSS v3.1 base score of 6.7 (AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
An attacker requires local access and high privileges (PR:H) to exploit this vulnerability, which has low attack complexity and no user interaction. Successful exploitation allows the attacker to escalate privileges, resulting in high impacts on confidentiality, integrity, and availability within the affected scope.
The Fortinet PSIRT advisory (FG-IR-24-127) at https://fortiguard.fortinet.com/psirt/FG-IR-24-127 provides details on affected versions and mitigation recommendations, including available patches. Security practitioners should consult this advisory for upgrade paths and workarounds.
Details
- CWE(s)