CVE-2024-48884

HIGH

Fortinet FortiManager 7.4.1-7.4.3, FortiOS 6.4.0-6.4.15 - Path Traversal & Arbitrary File Write

Title source: llm

Description

A improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiManager 7.6.0 through 7.6.1, FortiManager 7.4.1 through 7.4.3, FortiManager Cloud 7.4.1 through 7.4.3, FortiOS 7.6.0, FortiOS 7.4.0 through 7.4.4, FortiOS 7.2.0 through 7.2.9, FortiOS 7.0.0 through 7.0.15, FortiOS 6.4.0 through 6.4.15, FortiProxy 7.4.0 through 7.4.5, FortiProxy 7.2.0 through 7.2.11, FortiProxy 7.0.0 through 7.0.18, FortiProxy 2.0 all versions, FortiProxy 1.2 all versions, FortiProxy 1.1 all versions, FortiProxy 1.0 all versions may allow a remote authenticated attacker with access to the security fabric interface and port to write arbitrary files or a remote unauthenticated attacker to delete an arbitrary folder

References (1)

Core 1

Core References

Vendor Advisory

https://fortiguard.fortinet.com/psirt/FG-IR-24-259

Scores

CVSS v3 7.5

EPSS 0.5028

EPSS Percentile 97.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-22

Status published

Products (9)

fortinet/fortimanager 7.4.1 - 7.4.4

fortinet/fortimanager_cloud 7.4.1 - 7.4.4

fortinet/fortios 7.6.0

fortinet/fortios 6.4.0 - 6.4.16

fortinet/fortiproxy 1.0.0 - 7.0.19

fortinet/fortirecorder 7.0.0 - 7.0.5

fortinet/fortivoice 6.0.0 - 6.4.10

fortinet/fortiweb 7.6.0

fortinet/fortiweb 6.4.0 - 7.4.5

Published Jan 14, 2025

Tracked Since Feb 18, 2026