Skip to main content

Fortinet FortiWeb CVE-2024-48885

CRITICAL
Path Traversal (CWE-22)
2025-01-16 psirt@fortinet.com
9.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
vuln.today AI
9.1 CRITICAL

Network-reachable service parses crafted packets with low complexity and per vendor no prior auth (PR:N); traversal enables privileged writes so I:H/A:H, with no data disclosure (C:N).

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Updated
Jul 08, 2026 - 14:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 08, 2026 - 14:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 08, 2026 - 14:22 vuln.today
cvss_changed
Severity Changed
Jul 08, 2026 - 14:22 NVD
MEDIUM CRITICAL
CVSS changed
Jul 08, 2026 - 14:22 NVD
5.3 (MEDIUM) 9.1 (CRITICAL)
Analysis Generated
Mar 28, 2026 - 18:04 vuln.today
CVE Published
Jan 16, 2025 - 09:15 nvd
MEDIUM 5.3

DescriptionNVD

A improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiRecorder 7.2.0 through 7.2.1, FortiRecorder 7.0.0 through 7.0.4, FortiVoice 7.0.0 through 7.0.4, FortiVoice 6.4.0 through 6.4.9, FortiVoice 6.0 all versions, FortiWeb 7.6.0, FortiWeb 7.4.0 through 7.4.4, FortiWeb 7.2 all versions, FortiWeb 7.0 all versions, FortiWeb 6.4 all versions allows attacker to escalate privilege via specially crafted packets.

AnalysisAI

Privilege escalation via path traversal affects multiple Fortinet appliances - FortiWeb (6.4, 7.0, 7.2, 7.4.0-7.4.4, 7.6.0), FortiVoice (6.0, 6.4.0-6.4.9, 7.0.0-7.0.4), and FortiRecorder (7.0.0-7.0.4, 7.2.0-7.2.1) - where an attacker sends specially crafted packets that break out of a restricted directory to gain elevated privileges. Fortinet PSIRT scores this CVSS 9.1 with no confidentiality impact but high integrity and availability impact, reflecting a management-plane compromise rather than data theft. There is no public exploit identified at time of analysis and EPSS is modest (0.39%, 60th percentile), so exploitation is not yet observed at scale.

Technical ContextAI

The root cause is CWE-22 (improper limitation of a pathname to a restricted directory, i.e. path traversal), in which user-controllable input embedded in network packets is used to construct a filesystem path without sufficient canonicalization or sandbox enforcement, letting an attacker reference locations outside the intended directory. The affected components are Fortinet's appliance operating environments across three product lines (FortiWeb web application firewall, FortiVoice unified communications, FortiRecorder network video recorder), all sharing common Fortinet platform code, which explains why a single flaw spans all three. The CVSS vector (C:N/I:H/A:H) indicates the traversal is leveraged not to read files but to write to or manipulate privileged paths, resulting in privilege escalation and integrity/availability compromise of the appliance.

RemediationAI

Upgrade each affected product to a Fortinet-fixed release as specified in advisory FG-IR-24-259 (https://fortiguard.fortinet.com/psirt/FG-IR-24-259); exact fixed build numbers should be taken directly from that advisory as they were not included in this dataset. Patch available per vendor advisory - apply the vendor-released fixed versions for your specific FortiWeb, FortiVoice, or FortiRecorder branch. Until patched, restrict network reachability of the appliance management and service interfaces: limit administrative and service access to trusted management networks or VPN, place the appliances behind firewall rules that block untrusted sources from the affected service ports, and disable or restrict any externally exposed management access - noting the trade-off that tightening management access may disrupt remote administration and legitimate integrations, so validate allowlists before enforcing.

Share

CVE-2024-48885 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy