Fortinet FortiManager
CVE-2024-33503
HIGH
Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local shell access with an existing low-privilege account (AV:L, PR:L) and no user interaction yields full appliance compromise, so C/I/A all High.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
7DescriptionNVD
A improper privilege management in Fortinet FortiManager version 7.4.0 through 7.4.3, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14, FortiAnalyzer version 7.4.0 through 7.4.2, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14 allows attacker to escalation of privilege via specific shell commands
AnalysisAI
Local privilege escalation in Fortinet FortiManager (6.4.0-6.4.14, 7.0.0-7.0.12, 7.2.0-7.2.5, 7.4.0-7.4.3) and FortiAnalyzer (6.4.0-6.4.14, 7.0.0-7.0.12, 7.2.0-7.2.5, 7.4.0-7.4.2), including their Cloud variants, lets an attacker who already holds low-privilege CLI/shell access run specific shell commands to gain elevated privileges. Full confidentiality, integrity, and availability impact result, effectively giving an attacker administrative control of the management appliance. No public exploit identified at time of analysis; the low EPSS score (0.03%, 9th percentile) indicates minimal current exploitation activity.
Technical ContextAI
FortiManager and FortiAnalyzer are Fortinet's centralized management and log/analytics platforms for Fortinet security fabrics; the Cloud editions offer the same functionality as hosted services. The flaw is classified as CWE-266 (Incorrect Privilege Assignment), a root-cause class where a program grants an actor privileges beyond those intended. Here the appliance's constrained shell fails to properly confine what specific shell commands a lower-privileged operator may execute, allowing that operator to cross a privilege boundary. Because these devices manage fleets of firewalls and store sensitive configuration and log data, privilege escalation on the appliance itself carries outsized downstream risk to the managed estate.
RemediationAI
Follow Fortinet advisory FG-IR-24-127 (https://fortiguard.fortinet.com/psirt/FG-IR-24-127) and upgrade to the fixed releases specified there; the input data does not include exact fixed version numbers, so consult the advisory for the precise target build for your branch (generally the release above the highest listed vulnerable version in each train, e.g. FortiManager 7.4.4+ / 7.2.6+ / 7.0.13+ and FortiAnalyzer 7.4.3+ / 7.2.6+ / 7.0.13+ - verify against the advisory before applying). As a compensating control until patched, tightly restrict who holds CLI/shell and low-privilege administrative accounts on these appliances, since exploitation requires an existing local foothold: limit administrative accounts to the minimum operators, enforce strong authentication and trusted-host/management-interface ACLs to reduce who can reach the shell, and audit CLI command usage for anomalous shell command activity. These controls reduce exposure but do not remove the underlying flaw, and over-restricting operator accounts may impede legitimate administration, so patching remains the primary fix.
More in Fortianalyzer
View allA buffer underwrite ('buffer underflow') vulnerability in the administrative interface of Fortinet FortiOS version 7.2.0
An improper neutralization of special elements used in an os command ('OS Command Injection') vulnerability [CWE-78] in
A server-side request forgery vulnerability [CWE-918] in Fortinet FortiAnalyzer version 7.4.0, version 7.2.0 through 7.2
A client-side enforcement of server-side security [CWE-602] vulnerability in Fortinet FortiManager version 7.4.0 and bef
Remote code execution in Fortinet FortiManager and FortiAnalyzer (plus their Cloud variants) arises from a stack-based b
A client-side enforcement of server-side security in Fortinet FortiAnalyzer-BigData at least version 7.4.0 and 7.2.0 thr
A improper handling of insufficient permissions or privileges in Fortinet FortiAnalyzer version 5.6.0 through 5.6.11, Fo
An improper neutralization of input vulnerability in FortiAnalyzer before 6.4.1 and 6.2.5 may allow a remote authenticat
An improper certificate validation vulnerability [CWE-295] in FortiAnalyzer and FortiManager 7.2.0 through 7.2.1, 7.0.0
Local privilege escalation in Fortinet FortiAnalyzer, FortiManager and their Cloud variants allows an already-authentica
A unverified password change in Fortinet FortiManager versions 7.0.0 through 7.0.10, versions 7.2.0 through 7.2.4, and v
An improper neutralization of special elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78 ] in
Same weakness CWE-266 – Incorrect Privilege Assignment
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today