CVE-2024-35273

CVE-2024-35273 is an out-of-bounds write vulnerability (CWE-787) affecting Fortinet FortiManager versions 7.4.0 through 7.4.2 and FortiAnalyzer versions 7.4.0 through 7.4.2. The flaw arises from improper bounds checking, enabling an attacker to trigger the issue via specially crafted HTTP requests. It has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact on confidentiality, integrity, and availability.

An authenticated attacker with high privileges (PR:H) can exploit this vulnerability remotely over the network (AV:N) with low complexity (AC:L) and no user interaction required (UI:N). By sending malicious HTTP requests, the attacker can achieve privilege escalation, potentially gaining unauthorized access to higher-level permissions or full system compromise within the affected FortiManager or FortiAnalyzer instances.

Fortinet has published advisory FG-IR-24-106 at https://fortiguard.fortinet.com/psirt/FG-IR-24-106, which provides details on mitigation, including available patches for the vulnerable versions. Security practitioners should consult this advisory for upgrade instructions and apply fixes promptly to affected systems.