CVE-2024-40584

CVE-2024-40584 is an improper neutralization of special elements used in an OS command, classified as an OS Command Injection vulnerability (CWE-78), affecting the GUI in multiple Fortinet products. The impacted software includes FortiAnalyzer versions 7.4.0 through 7.4.3, 7.2.0 through 7.2.5, 7.0.0 through 7.0.13, 6.4.0 through 6.4.15, and 6.2.2 through 6.2.13; FortiManager versions 7.4.0 through 7.4.3, 7.2.0 through 7.2.5, 7.0.0 through 7.0.13, 6.4.0 through 6.4.15, and 6.2.2 through 6.2.13; FortiAnalyzer BigData versions 7.4.0, 7.2.0 through 7.2.7, 7.0.1 through 7.0.6, 6.4.5 through 6.4.7, and 6.2.5; FortiAnalyzer Cloud versions 7.4.1 through 7.4.3, 7.2.1 through 7.2.5, 7.0.1 through 7.0.13, and 6.4.1 through 6.4.7; and FortiManager Cloud versions 7.4.1 through 7.4.3, 7.2.1 through 7.2.5, 7.0.1 through 7.0.13, and 6.4.1 through 6.4.7.

An authenticated privileged attacker (PR:H) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N) by sending crafted HTTPS or HTTP requests to the GUI, enabling execution of unauthorized code or commands. The vulnerability has a CVSS v3.1 base score of 7.2 (C:H/I:H/A:H/S:U), indicating high impacts on confidentiality, integrity, and availability within the unchanged security scope.

Mitigation details are available in the Fortinet product security incident response team advisory at https://fortiguard.fortinet.com/psirt/FG-IR-24-220.