CVE-2024-40591
Published: 11 February 2025
Description
An incorrect privilege assignment vulnerability [CWE-266] in Fortinet FortiOS version 7.6.0, 7.4.0 through 7.4.4, 7.2.0 through 7.2.9 and before 7.0.15 allows an authenticated admin whose access profile has the Security Fabric permission to escalate their privileges to super-admin by connecting the targetted FortiGate to a malicious upstream FortiGate they control.
Security Summary
CVE-2024-40591 is an incorrect privilege assignment vulnerability (CWE-266) in Fortinet FortiOS versions 7.6.0, 7.4.0 through 7.4.4, 7.2.0 through 7.2.9, and before 7.0.15. The issue affects FortiGate devices, where an authenticated admin with the Security Fabric permission in their access profile can escalate privileges to super-admin by leveraging a connection to a malicious upstream FortiGate under attacker control. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility, low complexity, and significant confidentiality, integrity, and availability impacts.
The attack requires an authenticated low-privileged administrator on the target FortiGate with Security Fabric permissions. The attacker connects the target device to another FortiGate they control as a malicious upstream device in the Security Fabric topology, enabling privilege escalation to super-admin rights. This grants full administrative control over the affected FortiGate.
Mitigation details are available in the Fortinet PSIRT advisory at https://fortiguard.fortinet.com/psirt/FG-IR-24-302.
Details
- CWE(s)