CVE-2024-55590

High

Published: 11 March 2025

Published

11 March 2025

Modified

23 July 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0059 69.2th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may abuse Unix shell commands and scripts for execution.

Security Summary

CVE-2024-55590 consists of multiple improper neutralization of special elements used in an OS command vulnerabilities, classified as OS Command Injection (CWE-78), affecting Fortinet FortiIsolator versions 2.4.0 through 2.4.5. These flaws arise from inadequate handling of special elements within CLI commands, enabling injection of malicious OS commands.

An authenticated attacker with at least read-only admin permissions and CLI access can exploit these vulnerabilities by submitting specifically crafted CLI commands, resulting in the execution of unauthorized code on the affected system. The CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) reflects high severity, with network accessibility, low attack complexity, low privileges required, no user interaction, and high impacts on confidentiality, integrity, and availability.

Mitigation details are available in the Fortinet product security incident response advisory at https://fortiguard.fortinet.com/psirt/FG-IR-24-178.

Details

CWE(s): CWE-78

Affected Products

fortinet

fortiisolator

2.4.0 — 2.4.6

MITRE ATT&CK Enterprise Techniques

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

OS command injection via CLI directly enables arbitrary command execution on the Linux-based Fortinet appliance, mapping to Unix Shell.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://fortiguard.fortinet.com/psirt/FG-IR-24-178
Vendor Advisory · psirt@fortinet.com