CVE-2024-50569

Medium

Published: 11 February 2025

Published

11 February 2025

Modified

22 July 2025

KEV Added

—

Patch

—

CVSS Score 6.6 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0013 32.0th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Description

A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWeb 7.0.0 through 7.6.0 allows attacker to execute unauthorized code or commands via crafted input.

Security Summary

CVE-2024-50569 is an OS command injection vulnerability (CWE-78) affecting Fortinet FortiWeb versions 7.0.0 through 7.6.0. The issue arises from improper neutralization of special elements used in an OS command, enabling attackers to execute unauthorized code or commands through crafted input. It received a CVSS v3.1 base score of 6.6 (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H).

An attacker with high privileges (PR:H) can exploit this vulnerability over the network (AV:N), though it requires high attack complexity (AC:H) and no user interaction (UI:N). Successful exploitation allows execution of arbitrary OS commands, potentially leading to high impacts on confidentiality, integrity, and availability within the unchanged scope (S:U).

The Fortinet advisory FG-IR-24-438 provides details on mitigation: https://fortiguard.fortinet.com/psirt/FG-IR-24-438.

Details

CWE(s): CWE-78

Affected Products

fortinet

fortiweb

7.6.0 · 7.0.0 — 7.4.6

References

https://fortiguard.fortinet.com/psirt/FG-IR-24-438
Vendor Advisory · psirt@fortinet.com