CVE-2024-40591

Published Feb 11, 2025

Last updated 17 days ago

Overview

AI description

Generated using AI and has not been reviewed by Intruder. May contain errors.

CVE-2024-40591 is an incorrect privilege assignment vulnerability in Fortinet's FortiOS. It affects versions 7.6.0, 7.4.0 through 7.4.4, 7.2.0 through 7.2.9, and versions prior to 7.0.15. An attacker, authenticated as an administrator with "Security Fabric" permissions, can exploit this flaw to escalate their privileges to the super-admin level. This is achieved by connecting the targeted FortiGate device to a malicious upstream FortiGate controlled by the attacker. This vulnerability allows privilege escalation within the FortiOS security fabric. Affected versions include 7.6.0, along with specific ranges within the 7.4, 7.2, and 7.0 branches. Exploitation requires the attacker to have existing administrative privileges and the "Security Fabric" permission enabled on their account. By manipulating the connection to a compromised upstream FortiGate, the attacker can gain the highest level of administrative control (super-admin).

Description: An incorrect privilege assignment vulnerability [CWE-266] in Fortinet FortiOS version 7.6.0, 7.4.0 through 7.4.4, 7.2.0 through 7.2.9 and before 7.0.15 allows an authenticated admin whose access profile has the Security Fabric permission to escalate their privileges to super-admin by connecting the targetted FortiGate to a malicious upstream FortiGate they control.
Source: psirt@fortinet.com
NVD status: Awaiting Analysis

Risk scores

CVSS 3.1

Type: Secondary
Base score: 8.8
Impact score: 5.9
Exploitability score: 2.8
Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity: HIGH

Weaknesses

psirt@fortinet.com: CWE-266

Hype score: Not currently trending

Overview

AI description

Risk scores

CVSS 3.1

Weaknesses

Social media

References