Fortinet FortiOS
CVE-2024-48884
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Unauthenticated network-reachable folder deletion drives PR:N/AV:N/AC:L with high integrity and availability impact; no data disclosure so C:N, scope unchanged.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
7DescriptionNVD
A improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiManager 7.6.0 through 7.6.1, FortiManager 7.4.1 through 7.4.3, FortiManager Cloud 7.4.1 through 7.4.3, FortiOS 7.6.0, FortiOS 7.4.0 through 7.4.4, FortiOS 7.2.0 through 7.2.9, FortiOS 7.0.0 through 7.0.15, FortiOS 6.4.0 through 6.4.15, FortiProxy 7.4.0 through 7.4.5, FortiProxy 7.2.0 through 7.2.11, FortiProxy 7.0.0 through 7.0.18, FortiProxy 2.0 all versions, FortiProxy 1.2 all versions, FortiProxy 1.1 all versions, FortiProxy 1.0 all versions may allow a remote authenticated attacker with access to the security fabric interface and port to write arbitrary files or a remote unauthenticated attacker to delete an arbitrary folder
AnalysisAI
Arbitrary file write and folder deletion in Fortinet FortiManager, FortiOS, and FortiProxy is possible via a path traversal flaw in the security fabric interface, where a remote authenticated attacker can write arbitrary files and, more severely, a remote unauthenticated attacker can delete arbitrary folders. The flaw carries a CVSS 9.1 (I:H/A:H) and an unusually high EPSS of 39.29% (97th percentile), signaling elevated near-term exploitation likelihood, though no public exploit is identified and it is not yet in CISA KEV. Affected products span multiple FortiOS 6.4-7.6, FortiManager 7.4-7.6, FortiProxy 1.0-7.4, and FortiManager Cloud branches.
Technical ContextAI
The root cause is CWE-22 (improper limitation of a pathname to a restricted directory, i.e., path traversal), where user-controlled path input reaching the security fabric service is not properly canonicalized or confined to an intended base directory, allowing '../' style sequences to escape into arbitrary filesystem locations. The security fabric is Fortinet's inter-device orchestration channel that links FortiGate/FortiOS, FortiManager, and FortiProxy over a dedicated management port, so the vulnerable code path is the fabric daemon that handles file/folder operations between fabric members. CPE data confirms the affected code is shared across fortimanager, fortimanager_cloud, and fortiproxy packages, and the tags additionally reference FortiRecorder, FortiVoice, and FortiWeb, indicating a common library or component reused across the Fortinet product portfolio.
RemediationAI
Patch available per vendor advisory FG-IR-24-259 (https://fortiguard.fortinet.com/psirt/FG-IR-24-259) - consult that advisory for the exact fixed builds per branch, as the description lists only affected ranges and does not enumerate fixed versions, so administrators should upgrade FortiManager past 7.6.1/7.4.3, FortiOS past 7.4.4/7.2.9/7.0.15/6.4.15, and FortiProxy past 7.4.5/7.2.11/7.0.18 (and migrate off end-of-branch FortiProxy 1.x/2.0) to the vendor's listed fixed builds. As the primary compensating control until patched, restrict reachability of the security fabric interface and its port: bind the fabric interface only to trusted management/OOB network segments, apply local-in policies or firewall rules to permit fabric traffic only from known fabric member IPs, and disable the security fabric feature on devices that do not require it - the trade-off is that disabling or tightly filtering the fabric breaks centralized fabric orchestration and topology visibility between Fortinet devices. Because the unauthenticated deletion path requires no credentials, network-level restriction of the fabric port is the highest-value mitigation.
More in Fortimanager
View allA missing authentication for critical function in FortiManager 7.6.0, FortiManager 7.4.0 through 7.4.4, FortiManager 7.2
A buffer underwrite ('buffer underflow') vulnerability in the administrative interface of Fortinet FortiOS version 7.2.0
An improper neutralization of special elements used in an os command ('OS Command Injection') vulnerability [CWE-78] in
A server-side request forgery vulnerability [CWE-918] in Fortinet FortiAnalyzer version 7.4.0, version 7.2.0 through 7.2
A client-side enforcement of server-side security [CWE-602] vulnerability in Fortinet FortiManager version 7.4.0 and bef
Remote code execution in Fortinet FortiManager and FortiAnalyzer (plus their Cloud variants) arises from a stack-based b
A missing authentication for critical function in Fortinet FortiManager version 7.4.0 through 7.4.2, 7.2.0 through 7.2.4
Lack of root file system integrity checking in Fortinet FortiManager VM application images of 6.2.0, 6.0.6 and below may
An improper access control vulnerability [CWE-284] in FortiManager management interface 7.2.0 through 7.2.2, 7.0.0 throu
A improper neutralization of special elements used in a command ('command injection') in Fortinet FortiManager versions
A client-side enforcement of server-side security in Fortinet FortiAnalyzer-BigData at least version 7.4.0 and 7.2.0 thr
A improper handling of insufficient permissions or privileges in Fortinet FortiAnalyzer version 5.6.0 through 5.6.11, Fo
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today