CVE-2024-40584

HIGH

Fortinet FortiAnalyzer <7.4.3 - OS Command Injection

Title source: llm

Description

An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in Fortinet FortiAnalyzer version 7.4.0 through 7.4.3, 7.2.0 through 7.2.5, 7.0.0 through 7.0.13, 6.4.0 through 6.4.15 and 6.2.2 through 6.2.13, Fortinet FortiManager version 7.4.0 through 7.4.3, 7.2.0 through 7.2.5, 7.0.0 through 7.0.13, 6.4.0 through 6.4.15 and 6.2.2 through 6.2.13, Fortinet FortiAnalyzer BigData version 7.4.0, 7.2.0 through 7.2.7, 7.0.1 through 7.0.6, 6.4.5 through 6.4.7 and 6.2.5, Fortinet FortiAnalyzer Cloud version 7.4.1 through 7.4.3, 7.2.1 through 7.2.5, 7.0.1 through 7.0.13 and 6.4.1 through 6.4.7 and Fortinet FortiManager Cloud version 7.4.1 through 7.4.3, 7.2.1 through 7.2.5, 7.0.1 through 7.0.13 and 6.4.1 through 6.4.7 GUI allows an authenticated privileged attacker to execute unauthorized code or commands via crafted HTTPS or HTTP requests.

References (1)

Core 1

Core References

Vendor Advisory

https://fortiguard.fortinet.com/psirt/FG-IR-24-220

Scores

CVSS v3 7.2

EPSS 0.0012

EPSS Percentile 30.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-78

Status published

Products (6)

fortinet/fortianalyzer 6.2.2 - 7.2.6

fortinet/fortianalyzer_big_data 7.4.0

fortinet/fortianalyzer_big_data 6.2.1 - 7.2.8

fortinet/fortianalyzer_cloud 6.4.1 - 7.2.6

fortinet/fortimanager 6.2.2 - 6.2.13

fortinet/fortimanager_cloud 6.4.1 - 7.0.14

Published Feb 11, 2025

Tracked Since Feb 18, 2026