CVE-2024-50567

High

Published: 11 February 2025

Published

11 February 2025

Modified

22 July 2025

KEV Added

—

Patch

—

CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0015 35.7th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

An improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWeb 7.4.0 through 7.6.0 allows attacker to execute unauthorized code or commands via crafted input.

Security Summary

CVE-2024-50567 is an OS command injection vulnerability (CWE-78) in Fortinet FortiWeb versions 7.4.0 through 7.6.0. The flaw arises from improper neutralization of special elements used in an OS command, enabling attackers to execute unauthorized code or commands through crafted input. Published on 2025-02-11, it carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

An attacker with high privileges can exploit this vulnerability over the network with low attack complexity and no user interaction required. Successful exploitation allows execution of arbitrary OS commands, resulting in high impacts to confidentiality, integrity, and availability.

Fortinet's PSIRT advisory FG-IR-24-438 at https://fortiguard.fortinet.com/psirt/FG-IR-24-438 provides further details on the vulnerability and mitigation steps.

Details

CWE(s): CWE-78

Affected Products

fortinet

fortiweb

7.6.0 · 7.0.0 — 7.4.6

References

https://fortiguard.fortinet.com/psirt/FG-IR-24-438
Vendor Advisory · psirt@fortinet.com