Fortinet FortiWeb
CVE-2024-48885
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Network-reachable service parses crafted packets with low complexity and per vendor no prior auth (PR:N); traversal enables privileged writes so I:H/A:H, with no data disclosure (C:N).
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
7DescriptionNVD
A improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiRecorder 7.2.0 through 7.2.1, FortiRecorder 7.0.0 through 7.0.4, FortiVoice 7.0.0 through 7.0.4, FortiVoice 6.4.0 through 6.4.9, FortiVoice 6.0 all versions, FortiWeb 7.6.0, FortiWeb 7.4.0 through 7.4.4, FortiWeb 7.2 all versions, FortiWeb 7.0 all versions, FortiWeb 6.4 all versions allows attacker to escalate privilege via specially crafted packets.
AnalysisAI
Privilege escalation via path traversal affects multiple Fortinet appliances - FortiWeb (6.4, 7.0, 7.2, 7.4.0-7.4.4, 7.6.0), FortiVoice (6.0, 6.4.0-6.4.9, 7.0.0-7.0.4), and FortiRecorder (7.0.0-7.0.4, 7.2.0-7.2.1) - where an attacker sends specially crafted packets that break out of a restricted directory to gain elevated privileges. Fortinet PSIRT scores this CVSS 9.1 with no confidentiality impact but high integrity and availability impact, reflecting a management-plane compromise rather than data theft. There is no public exploit identified at time of analysis and EPSS is modest (0.39%, 60th percentile), so exploitation is not yet observed at scale.
Technical ContextAI
The root cause is CWE-22 (improper limitation of a pathname to a restricted directory, i.e. path traversal), in which user-controllable input embedded in network packets is used to construct a filesystem path without sufficient canonicalization or sandbox enforcement, letting an attacker reference locations outside the intended directory. The affected components are Fortinet's appliance operating environments across three product lines (FortiWeb web application firewall, FortiVoice unified communications, FortiRecorder network video recorder), all sharing common Fortinet platform code, which explains why a single flaw spans all three. The CVSS vector (C:N/I:H/A:H) indicates the traversal is leveraged not to read files but to write to or manipulate privileged paths, resulting in privilege escalation and integrity/availability compromise of the appliance.
RemediationAI
Upgrade each affected product to a Fortinet-fixed release as specified in advisory FG-IR-24-259 (https://fortiguard.fortinet.com/psirt/FG-IR-24-259); exact fixed build numbers should be taken directly from that advisory as they were not included in this dataset. Patch available per vendor advisory - apply the vendor-released fixed versions for your specific FortiWeb, FortiVoice, or FortiRecorder branch. Until patched, restrict network reachability of the appliance management and service interfaces: limit administrative and service access to trusted management networks or VPN, place the appliances behind firewall rules that block untrusted sources from the affected service ports, and disable or restrict any externally exposed management access - noting the trade-off that tightening management access may disrupt remote administration and legitimate integrations, so validate allowlists before enforcing.
More in Fortirecorder
View allArbitrary file write and folder deletion in Fortinet FortiManager, FortiOS, and FortiProxy is possible via a path traver
An exposure of sensitive system information to an unauthorized control sphere vulnerability [CWE-497] in FortiDDoS versi
A externally controlled reference to a resource in another sphere vulnerability in Fortinet allows attacker to poison we
A cleartext storage of sensitive information vulnerability [CWE-312] vulnerability in Fortinet FortiMail 7.6.0 through 7
Multiple relative path traversal vulnerabilities [CWE-23] vulnerability in Fortinet FortiCamera 2.1 all versions, FortiC
Fortinet FortiCamera, FortiMail, FortiNDR, FortiRecorder, and FortiVoice contain a stack-based buffer overflow enabling
An improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiMail vers
A improper limitation of a pathname to a restricted directory ('path traversal') [CWE-23] in Fortinet FortiRecorder vers
A relative path traversal in Fortinet FortiRecorder [CWE-23] version 7.2.0 through 7.2.1 and before 7.0.4 allows a privi
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today