FortiManager
CVE-2024-35276
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Crafted-packet stack overflow reachable over the network with no stated authentication or user interaction yields code execution, giving AV:N/AC:L/PR:N and full C/I/A impact.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
7DescriptionNVD
A stack-based buffer overflow in Fortinet FortiAnalyzer versions 7.4.0 through 7.4.3, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14, FortiManager versions 7.4.0 through 7.4.3, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14, FortiManager Cloud versions 7.4.1 through 7.4.3, 7.2.1 through 7.2.5, 7.0.1 through 7.0.11, 6.4.1 through 6.4.7, FortiAnalyzer Cloud versions 7.4.1 through 7.4.3, 7.2.1 through 7.2.5, 7.0.1 through 7.0.11, 6.4.1 through 6.4.7 allows attacker to execute unauthorized code or commands via specially crafted packets.
AnalysisAI
Remote code execution in Fortinet FortiManager and FortiAnalyzer (plus their Cloud variants) arises from a stack-based buffer overflow (CWE-121) reachable via specially crafted packets, letting an attacker run unauthorized code or OS commands on the management appliance. Affected trains span 6.4, 7.0, 7.2, and 7.4 across on-prem and Cloud editions. The CVSS vector rates this 9.8 with PR:N (network, no authentication), though the low EPSS (0.17%, 38th percentile) and absence of KEV/POC signals indicate no public exploit identified at time of analysis despite the critical rating.
Technical ContextAI
FortiManager is Fortinet's centralized policy/device management platform and FortiAnalyzer is its centralized logging and analytics platform; both (and their SaaS 'Cloud' variants) sit at the core of a Fortinet security fabric and communicate with managed FortiGate devices over proprietary management protocols. The root cause is CWE-121, a stack-based buffer overflow: a request handler copies attacker-controlled packet data into a fixed-size stack buffer without adequate bounds checking, allowing the return address/saved registers to be overwritten and control flow to be hijacked. The CPE set confirms the affected products are cpe:2.3:a:fortinet:fortimanager, fortimanager_cloud, fortianalyzer, and fortianalyzer_cloud (application-level), consistent with the multi-product advisory FG-IR-24-165.
RemediationAI
Patch available per vendor advisory FG-IR-24-165 (https://fortiguard.fortinet.com/psirt/FG-IR-24-165) - upgrade each product to the fixed build above its affected range (per Fortinet's standard remediation the fixed trains are 7.4.4+, 7.2.6+, 7.0.13+, and 6.4.15+, but confirm the exact target build for your product/edition against the advisory as these versions are inferred from the affected ranges rather than stated in the provided data). Because this is a management/logging plane, the strongest compensating control until patched is to restrict network reachability: place FortiManager/FortiAnalyzer on an isolated management VLAN, never expose them to the internet, and use firewall ACLs to permit administrative and device-registration traffic only from known FortiGate devices and admin jump hosts - the trade-off is that legitimate remote administration and any cloud-managed device onboarding must traverse a VPN or bastion. For the Cloud variants, apply the vendor-hosted fix on Fortinet's schedule and monitor the advisory. Enable and review appliance logs for anomalous or malformed inbound packets to the management services.
More in Fortianalyzer
View allA buffer underwrite ('buffer underflow') vulnerability in the administrative interface of Fortinet FortiOS version 7.2.0
An improper neutralization of special elements used in an os command ('OS Command Injection') vulnerability [CWE-78] in
A server-side request forgery vulnerability [CWE-918] in Fortinet FortiAnalyzer version 7.4.0, version 7.2.0 through 7.2
A client-side enforcement of server-side security [CWE-602] vulnerability in Fortinet FortiManager version 7.4.0 and bef
A client-side enforcement of server-side security in Fortinet FortiAnalyzer-BigData at least version 7.4.0 and 7.2.0 thr
A improper handling of insufficient permissions or privileges in Fortinet FortiAnalyzer version 5.6.0 through 5.6.11, Fo
An improper neutralization of input vulnerability in FortiAnalyzer before 6.4.1 and 6.2.5 may allow a remote authenticat
An improper certificate validation vulnerability [CWE-295] in FortiAnalyzer and FortiManager 7.2.0 through 7.2.1, 7.0.0
Local privilege escalation in Fortinet FortiAnalyzer, FortiManager and their Cloud variants allows an already-authentica
Local privilege escalation in Fortinet FortiManager (6.4.0-6.4.14, 7.0.0-7.0.12, 7.2.0-7.2.5, 7.4.0-7.4.3) and FortiAnal
A unverified password change in Fortinet FortiManager versions 7.0.0 through 7.0.10, versions 7.2.0 through 7.2.4, and v
An improper neutralization of special elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78 ] in
Same weakness CWE-121 – Stack-based Buffer Overflow
View allSame technique Stack Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today