CVE-2024-46670

High

Published: 14 January 2025

Published

14 January 2025

Modified

31 January 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0152 81.3th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

An Out-of-bounds Read vulnerability [CWE-125] in FortiOS version 7.6.0, version 7.4.4 and below, version 7.2.9 and below and FortiSASE FortiOS tenant version 24.3.b IPsec IKE service may allow an unauthenticated remote attacker to trigger memory consumption leading to Denial of Service via crafted requests.

Security Summary

CVE-2024-46670 is an out-of-bounds read vulnerability (CWE-125) in the IPsec IKE service of FortiOS version 7.6.0, version 7.4.4 and below, version 7.2.9 and below, and FortiSASE FortiOS tenant version 24.3.b. The flaw enables an unauthenticated remote attacker to trigger memory consumption, potentially leading to a denial-of-service condition via crafted requests.

The vulnerability can be exploited by any unauthenticated attacker with network access to the affected IPsec IKE service, requiring low attack complexity and no user interaction. Exploitation achieves high-impact denial of service through memory exhaustion, with no impact on confidentiality or integrity, as reflected in its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Mitigation details are provided in the FortiGuard PSIRT advisory at https://fortiguard.fortinet.com/psirt/FG-IR-24-266.

Details

CWE(s): CWE-125

Affected Products

fortinet

fortios

7.6.0 · 7.2.0 — 7.2.10 · 7.4.0 — 7.4.5

References

https://fortiguard.fortinet.com/psirt/FG-IR-24-266
Vendor Advisory · psirt@fortinet.com