Skip to main content

FortiManager CVE-2024-35276

CRITICAL
Stack-based Buffer Overflow (CWE-121)
2025-01-14 psirt@fortinet.com
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Crafted-packet stack overflow reachable over the network with no stated authentication or user interaction yields code execution, giving AV:N/AC:L/PR:N and full C/I/A impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Updated
Jul 08, 2026 - 14:30 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 08, 2026 - 14:30 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 08, 2026 - 14:22 vuln.today
cvss_changed
Severity Changed
Jul 08, 2026 - 14:22 NVD
MEDIUM CRITICAL
CVSS changed
Jul 08, 2026 - 14:22 NVD
5.6 (MEDIUM) 9.8 (CRITICAL)
Analysis Generated
Mar 28, 2026 - 18:03 vuln.today
CVE Published
Jan 14, 2025 - 14:15 nvd
MEDIUM 5.6

DescriptionNVD

A stack-based buffer overflow in Fortinet FortiAnalyzer versions 7.4.0 through 7.4.3, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14, FortiManager versions 7.4.0 through 7.4.3, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14, FortiManager Cloud versions 7.4.1 through 7.4.3, 7.2.1 through 7.2.5, 7.0.1 through 7.0.11, 6.4.1 through 6.4.7, FortiAnalyzer Cloud versions 7.4.1 through 7.4.3, 7.2.1 through 7.2.5, 7.0.1 through 7.0.11, 6.4.1 through 6.4.7 allows attacker to execute unauthorized code or commands via specially crafted packets.

AnalysisAI

Remote code execution in Fortinet FortiManager and FortiAnalyzer (plus their Cloud variants) arises from a stack-based buffer overflow (CWE-121) reachable via specially crafted packets, letting an attacker run unauthorized code or OS commands on the management appliance. Affected trains span 6.4, 7.0, 7.2, and 7.4 across on-prem and Cloud editions. The CVSS vector rates this 9.8 with PR:N (network, no authentication), though the low EPSS (0.17%, 38th percentile) and absence of KEV/POC signals indicate no public exploit identified at time of analysis despite the critical rating.

Technical ContextAI

FortiManager is Fortinet's centralized policy/device management platform and FortiAnalyzer is its centralized logging and analytics platform; both (and their SaaS 'Cloud' variants) sit at the core of a Fortinet security fabric and communicate with managed FortiGate devices over proprietary management protocols. The root cause is CWE-121, a stack-based buffer overflow: a request handler copies attacker-controlled packet data into a fixed-size stack buffer without adequate bounds checking, allowing the return address/saved registers to be overwritten and control flow to be hijacked. The CPE set confirms the affected products are cpe:2.3:a:fortinet:fortimanager, fortimanager_cloud, fortianalyzer, and fortianalyzer_cloud (application-level), consistent with the multi-product advisory FG-IR-24-165.

RemediationAI

Patch available per vendor advisory FG-IR-24-165 (https://fortiguard.fortinet.com/psirt/FG-IR-24-165) - upgrade each product to the fixed build above its affected range (per Fortinet's standard remediation the fixed trains are 7.4.4+, 7.2.6+, 7.0.13+, and 6.4.15+, but confirm the exact target build for your product/edition against the advisory as these versions are inferred from the affected ranges rather than stated in the provided data). Because this is a management/logging plane, the strongest compensating control until patched is to restrict network reachability: place FortiManager/FortiAnalyzer on an isolated management VLAN, never expose them to the internet, and use firewall ACLs to permit administrative and device-registration traffic only from known FortiGate devices and admin jump hosts - the trade-off is that legitimate remote administration and any cloud-managed device onboarding must traverse a VPN or bastion. For the Cloud variants, apply the vendor-hosted fix on Fortinet's schedule and monitor the advisory. Enable and review appliance logs for anomalous or malformed inbound packets to the management services.

CVE-2023-25610 CRITICAL
9.8 Mar 24

A buffer underwrite ('buffer underflow') vulnerability in the administrative interface of Fortinet FortiOS version 7.2.0

CVE-2023-42788 MEDIUM POC
6.7 Oct 10

An improper neutralization of special elements used in an os command ('OS Command Injection') vulnerability [CWE-78] in

CVE-2023-44256 MEDIUM POC
6.5 Oct 20

A server-side request forgery vulnerability [CWE-918] in Fortinet FortiAnalyzer version 7.4.0, version 7.2.0 through 7.2

CVE-2023-42787 MEDIUM POC
6.5 Oct 10

A client-side enforcement of server-side security [CWE-602] vulnerability in Fortinet FortiManager version 7.4.0 and bef

CVE-2024-23666 HIGH
8.8 Nov 12

A client-side enforcement of server-side security in Fortinet FortiAnalyzer-BigData at least version 7.4.0 and 7.2.0 thr

CVE-2022-22300 HIGH
8.8 Mar 01

A improper handling of insufficient permissions or privileges in Fortinet FortiAnalyzer version 5.6.0 through 5.6.11, Fo

CVE-2020-12817 HIGH
8.8 Sep 24

An improper neutralization of input vulnerability in FortiAnalyzer before 6.4.1 and 6.2.5 may allow a remote authenticat

CVE-2023-22642 HIGH
8.1 Apr 11

An improper certificate validation vulnerability [CWE-295] in FortiAnalyzer and FortiManager 7.2.0 through 7.2.1, 7.0.0

CVE-2024-45331 HIGH
7.8 Jan 16

Local privilege escalation in Fortinet FortiAnalyzer, FortiManager and their Cloud variants allows an already-authentica

CVE-2024-33503 HIGH
7.8 Jan 14

Local privilege escalation in Fortinet FortiManager (6.4.0-6.4.14, 7.0.0-7.0.12, 7.2.0-7.2.5, 7.4.0-7.4.3) and FortiAnal

CVE-2024-21757 HIGH
7.8 Aug 13

A unverified password change in Fortinet FortiManager versions 7.0.0 through 7.0.10, versions 7.2.0 through 7.2.4, and v

CVE-2023-25607 HIGH
7.8 Oct 10

An improper neutralization of special elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78 ] in

Share

CVE-2024-35276 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy