CVE-2024-32123

Summary

Multiple improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiManager, FortiAnalyzer versions 7.4.0 through 7.4.2 7.2.0 through 7.2.5 and 7.0.0 through 7.0.12 and 6.4.0 through 6.4.14 and 6.2.0 through 6.2.12 and 6.0.0 through 6.0.12 and 5.6.0 through 5.6.11 and 5.4.0 through 5.4.7 and 5.2.0 through 5.2.10 and 5.0.0 through 5.0.12 and 4.3.4 through 4.3.8 allows attacker to execute unauthorized code or commands via crafted CLI requests.

Affected Software

VendorProductVersion RangeStatus
FortinetFortiManager7.4.0 <= 7.4.2affected
FortinetFortiManager7.2.0 <= 7.2.5affected
FortinetFortiManager7.0.0 <= 7.0.13affected
FortinetFortiManager6.4.0 <= 6.4.15affected
FortinetFortiManager6.2.0 <= 6.2.13affected
FortinetFortiManager6.0.0 <= 6.0.12affected
FortinetFortiManager5.6.0 <= 5.6.11affected
FortinetFortiManager5.4.0 <= 5.4.7affected
FortinetFortiManager5.2.0 <= 5.2.10affected
FortinetFortiManager5.0.0 <= 5.0.12affected
FortinetFortiManager4.3.4 <= 4.3.8affected
FortinetFortiAnalyzer7.4.0 <= 7.4.2affected
FortinetFortiAnalyzer7.2.0 <= 7.2.5affected
FortinetFortiAnalyzer7.0.0 <= 7.0.13affected
FortinetFortiAnalyzer6.4.0 <= 6.4.15affected
FortinetFortiAnalyzer6.2.0 <= 6.2.13affected

Weaknesses

  • CWE-78: Execute unauthorized code or commands

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References