Skip to main content

Fortinet FortiOS CVE-2024-48884

CRITICAL
Path Traversal (CWE-22)
2025-01-14 psirt@fortinet.com
9.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
vuln.today AI
9.1 CRITICAL

Unauthenticated network-reachable folder deletion drives PR:N/AV:N/AC:L with high integrity and availability impact; no data disclosure so C:N, scope unchanged.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Updated
Jul 08, 2026 - 14:29 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 08, 2026 - 14:29 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 08, 2026 - 14:22 vuln.today
cvss_changed
Severity Changed
Jul 08, 2026 - 14:22 NVD
HIGH CRITICAL
CVSS changed
Jul 08, 2026 - 14:22 NVD
7.5 (HIGH) 9.1 (CRITICAL)
Analysis Generated
Mar 28, 2026 - 18:03 vuln.today
CVE Published
Jan 14, 2025 - 14:15 nvd
HIGH 7.5

DescriptionNVD

A improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiManager 7.6.0 through 7.6.1, FortiManager 7.4.1 through 7.4.3, FortiManager Cloud 7.4.1 through 7.4.3, FortiOS 7.6.0, FortiOS 7.4.0 through 7.4.4, FortiOS 7.2.0 through 7.2.9, FortiOS 7.0.0 through 7.0.15, FortiOS 6.4.0 through 6.4.15, FortiProxy 7.4.0 through 7.4.5, FortiProxy 7.2.0 through 7.2.11, FortiProxy 7.0.0 through 7.0.18, FortiProxy 2.0 all versions, FortiProxy 1.2 all versions, FortiProxy 1.1 all versions, FortiProxy 1.0 all versions may allow a remote authenticated attacker with access to the security fabric interface and port to write arbitrary files or a remote unauthenticated attacker to delete an arbitrary folder

AnalysisAI

Arbitrary file write and folder deletion in Fortinet FortiManager, FortiOS, and FortiProxy is possible via a path traversal flaw in the security fabric interface, where a remote authenticated attacker can write arbitrary files and, more severely, a remote unauthenticated attacker can delete arbitrary folders. The flaw carries a CVSS 9.1 (I:H/A:H) and an unusually high EPSS of 39.29% (97th percentile), signaling elevated near-term exploitation likelihood, though no public exploit is identified and it is not yet in CISA KEV. Affected products span multiple FortiOS 6.4-7.6, FortiManager 7.4-7.6, FortiProxy 1.0-7.4, and FortiManager Cloud branches.

Technical ContextAI

The root cause is CWE-22 (improper limitation of a pathname to a restricted directory, i.e., path traversal), where user-controlled path input reaching the security fabric service is not properly canonicalized or confined to an intended base directory, allowing '../' style sequences to escape into arbitrary filesystem locations. The security fabric is Fortinet's inter-device orchestration channel that links FortiGate/FortiOS, FortiManager, and FortiProxy over a dedicated management port, so the vulnerable code path is the fabric daemon that handles file/folder operations between fabric members. CPE data confirms the affected code is shared across fortimanager, fortimanager_cloud, and fortiproxy packages, and the tags additionally reference FortiRecorder, FortiVoice, and FortiWeb, indicating a common library or component reused across the Fortinet product portfolio.

RemediationAI

Patch available per vendor advisory FG-IR-24-259 (https://fortiguard.fortinet.com/psirt/FG-IR-24-259) - consult that advisory for the exact fixed builds per branch, as the description lists only affected ranges and does not enumerate fixed versions, so administrators should upgrade FortiManager past 7.6.1/7.4.3, FortiOS past 7.4.4/7.2.9/7.0.15/6.4.15, and FortiProxy past 7.4.5/7.2.11/7.0.18 (and migrate off end-of-branch FortiProxy 1.x/2.0) to the vendor's listed fixed builds. As the primary compensating control until patched, restrict reachability of the security fabric interface and its port: bind the fabric interface only to trusted management/OOB network segments, apply local-in policies or firewall rules to permit fabric traffic only from known fabric member IPs, and disable the security fabric feature on devices that do not require it - the trade-off is that disabling or tightly filtering the fabric breaks centralized fabric orchestration and topology visibility between Fortinet devices. Because the unauthenticated deletion path requires no credentials, network-level restriction of the fabric port is the highest-value mitigation.

CVE-2024-47575 CRITICAL POC
9.8 Oct 23

A missing authentication for critical function in FortiManager 7.6.0, FortiManager 7.4.0 through 7.4.4, FortiManager 7.2

CVE-2023-25610 CRITICAL
9.8 Mar 24

A buffer underwrite ('buffer underflow') vulnerability in the administrative interface of Fortinet FortiOS version 7.2.0

CVE-2023-42788 MEDIUM POC
6.7 Oct 10

An improper neutralization of special elements used in an os command ('OS Command Injection') vulnerability [CWE-78] in

CVE-2023-44256 MEDIUM POC
6.5 Oct 20

A server-side request forgery vulnerability [CWE-918] in Fortinet FortiAnalyzer version 7.4.0, version 7.2.0 through 7.2

CVE-2023-42787 MEDIUM POC
6.5 Oct 10

A client-side enforcement of server-side security [CWE-602] vulnerability in Fortinet FortiManager version 7.4.0 and bef

CVE-2024-35276 CRITICAL
9.8 Jan 14

Remote code execution in Fortinet FortiManager and FortiAnalyzer (plus their Cloud variants) arises from a stack-based b

CVE-2024-26011 CRITICAL
9.8 Nov 12

A missing authentication for critical function in Fortinet FortiManager version 7.4.0 through 7.4.2, 7.2.0 through 7.2.4

CVE-2019-6695 CRITICAL
9.8 Aug 23

Lack of root file system integrity checking in Fortinet FortiManager VM application images of 6.2.0, 6.0.6 and below may

CVE-2023-41679 CRITICAL
9.6 Oct 10

An improper access control vulnerability [CWE-284] in FortiManager management interface 7.2.0 through 7.2.2, 7.0.0 throu

CVE-2024-46662 HIGH
8.8 Mar 14

A improper neutralization of special elements used in a command ('command injection') in Fortinet FortiManager versions

CVE-2024-23666 HIGH
8.8 Nov 12

A client-side enforcement of server-side security in Fortinet FortiAnalyzer-BigData at least version 7.4.0 and 7.2.0 thr

CVE-2022-22300 HIGH
8.8 Mar 01

A improper handling of insufficient permissions or privileges in Fortinet FortiAnalyzer version 5.6.0 through 5.6.11, Fo

Share

CVE-2024-48884 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy