CVE-2024-46668

High

Published: 14 January 2025

Published

14 January 2025

Modified

31 January 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0216 84.4th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

An allocation of resources without limits or throttling vulnerability [CWE-770] in FortiOS versions 7.4.0 through 7.4.4, versions 7.2.0 through 7.2.8, versions 7.0.0 through 7.0.15, and versions 6.4.0 through 6.4.15 may allow an unauthenticated remote user to consume all system memory via multiple large file uploads.

Security Summary

CVE-2024-46668 is an allocation of resources without limits or throttling vulnerability (CWE-770) affecting FortiOS versions 7.4.0 through 7.4.4, 7.2.0 through 7.2.8, 7.0.0 through 7.0.15, and 6.4.0 through 6.4.15. It enables an unauthenticated remote user to exhaust system memory through multiple large file uploads, earning a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

An unauthenticated attacker with network access can exploit this flaw by sending numerous oversized files to the affected FortiOS instances, leading to complete memory consumption and potential denial-of-service conditions that disrupt device functionality.

Fortinet's advisory FG-IR-24-219 provides details on the vulnerability, affected versions, and recommended mitigation steps, including upgrading to patched releases outside the vulnerable ranges.

Details

CWE(s): CWE-770

Affected Products

fortinet

fortios

6.4.0 — 6.4.16 · 7.0.0 — 7.0.16 · 7.2.0 — 7.2.9

References

https://fortiguard.fortinet.com/psirt/FG-IR-24-219
Vendor Advisory · psirt@fortinet.com