CVE-2024-45324
Published: 11 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2024-45324 is a use of externally-controlled format string vulnerability (CWE-134) affecting multiple Fortinet products. It impacts FortiOS versions 7.4.0 through 7.4.4, 7.2.0 through 7.2.9, 7.0.0 through 7.0.15 and before 6.4.15; FortiProxy versions 7.4.0 through 7.4.6, 7.2.0 through 7.2.12 and before 7.0.19; FortiPAM versions 1.4.0 through 1.4.2 and before 1.3.1; FortiSRA versions 1.4.0 through 1.4.2 and before 1.3.1; and FortiWeb versions 7.4.0 through 7.4.5, 7.2.0 through 7.2.10 and before 7.0.10.
The vulnerability can be exploited by a privileged attacker with high privileges (PR:H) over the network (AV:N) using low-complexity attacks (AC:L) that require no user interaction (UI:N). By sending specially crafted HTTP or HTTPS commands, the attacker can execute unauthorized code or commands, resulting in high impacts to confidentiality, integrity, and availability (CVSS 7.2; CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
Fortinet's PSIRT advisory FG-IR-24-325 (https://fortiguard.fortinet.com/psirt/FG-IR-24-325) provides details on mitigation and patches for the affected versions.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes a network-accessible RCE vulnerability in public-facing Fortinet web management interfaces (HTTP/HTTPS), directly enabling exploitation of public-facing applications for code/command execution.