CVE-2024-46667

High

Published: 14 January 2025

Published

14 January 2025

Modified

16 July 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0064 70.6th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

A allocation of resources without limits or throttling in Fortinet FortiSIEM 5.3 all versions, 5.4 all versions, 6.x all versions, 7.0 all versions, and 7.1.0 through 7.1.5 may allow an attacker to deny valid TLS traffic via consuming all allotted connections.

Security Summary

CVE-2024-46667 is a vulnerability involving allocation of resources without limits or throttling, classified under CWE-770, affecting Fortinet FortiSIEM in all versions of 5.3 and 5.4, all 6.x versions, all 7.0 versions, and 7.1.0 through 7.1.5. The issue enables an attacker to consume all allotted connections, resulting in the denial of valid TLS traffic.

With a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), the vulnerability can be exploited remotely by unauthenticated attackers requiring low complexity and no user interaction. Exploitation leads to a denial-of-service condition by exhausting connections and blocking legitimate TLS traffic.

Mitigation details are available in the Fortinet PSIRT advisory at https://fortiguard.fortinet.com/psirt/FG-IR-24-164.

Details

CWE(s): CWE-770

Affected Products

fortinet

fortisiem

5.4.0 · 5.3.0 — 5.3.3 · 6.1.0 — 6.1.2 · 6.2.0 — 6.2.1

References

https://fortiguard.fortinet.com/psirt/FG-IR-24-164
Vendor Advisory · psirt@fortinet.com