CVE-2024-40591

Summary

An incorrect privilege assignment vulnerability [CWE-266] in Fortinet FortiOS version 7.6.0, 7.4.0 through 7.4.4, 7.2.0 through 7.2.9 and before 7.0.15 allows an authenticated admin whose access profile has the Security Fabric permission to escalate their privileges to super-admin by connecting the targetted FortiGate to a malicious upstream FortiGate they control.

Affected Software

VendorProductVersion RangeStatus
FortinetFortiOS7.6.0affected
FortinetFortiOS7.4.0 <= 7.4.4affected
FortinetFortiOS7.2.0 <= 7.2.9affected
FortinetFortiOS7.0.0 <= 7.0.15affected
FortinetFortiOS6.4.0 <= 6.4.15affected

Weaknesses

  • CWE-266: Escalation of privilege

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References