CVE-2024-50566
Published: 14 January 2025
Description
A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiManager Cloud 7.6.0 through 7.6.1, FortiManager Cloud 7.4.0 through 7.4.4, FortiManager Cloud 7.2.2 through 7.2.7, FortiManager 7.6.0 through 7.6.1, FortiManager 7.4.0 through 7.4.5, FortiManager 7.2.1 through 7.2.8 may allow an authenticated remote attacker to execute unauthorized code via FGFM crafted requests.
Security Summary
CVE-2024-50566 is an OS command injection vulnerability (CWE-78), resulting from improper neutralization of special elements used in an OS command. It affects Fortinet FortiManager Cloud versions 7.6.0 through 7.6.1, 7.4.0 through 7.4.4, and 7.2.2 through 7.2.7, as well as FortiManager versions 7.6.0 through 7.6.1, 7.4.0 through 7.4.5, and 7.2.1 through 7.2.8. The vulnerability has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
An authenticated remote attacker with high privileges (PR:H) can exploit the vulnerability over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). By crafting malicious FGFM requests, the attacker may execute unauthorized code on the affected system, achieving high impacts on confidentiality, integrity, and availability.
Mitigation details are provided in the Fortinet PSIRT advisory FG-IR-24-463, available at https://fortiguard.fortinet.com/psirt/FG-IR-24-463.
Details
- CWE(s)