CVE-2024-36512
Published: 14 January 2025
Description
An improper limitation of a pathname to a restricted directory ('path traversal') in Fortinet FortiManager, FortiAnalyzer 7.4.0 through 7.4.3 and 7.2.0 through 7.2.5 and 7.0.2 through 7.0.12 and 6.2.10 through 6.2.13 allows attacker to execute unauthorized code or commands via crafted HTTP or HTTPS requests.
Security Summary
CVE-2024-36512 is a path traversal vulnerability (CWE-22) affecting Fortinet FortiManager and FortiAnalyzer in versions 7.4.0 through 7.4.3, 7.2.0 through 7.2.5, 7.0.2 through 7.0.12, and 6.2.10 through 6.2.13. The issue arises from an improper limitation of a pathname to a restricted directory, which allows remote attackers to execute unauthorized code or commands by sending crafted HTTP or HTTPS requests. Published on January 14, 2025, it carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), rated as High severity.
An attacker with high privileges, such as an authenticated administrator, can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, enabling arbitrary code execution on the affected system and potential full compromise of the FortiManager or FortiAnalyzer instance.
The Fortinet PSIRT advisory FG-IR-24-152 provides details on mitigation strategies and patches; security practitioners should consult https://fortiguard.fortinet.com/psirt/FG-IR-24-152 for upgrade instructions and workarounds applicable to vulnerable versions.
Details
- CWE(s)