CVE-2024-40591

high

Description

An incorrect privilege assignment vulnerability [CWE-266] in Fortinet FortiOS version 7.6.0, 7.4.0 through 7.4.4, 7.2.0 through 7.2.9 and before 7.0.15 allows an authenticated admin whose access profile has the Security Fabric permission to escalate their privileges to super-admin by connecting the targetted FortiGate to a malicious upstream FortiGate they control.

References

https://hackread.com/fortios-vulnerability-super-admin-privilege-escalation/

https://www.securityweek.com/ivanti-fortinet-patch-remote-code-execution-vulnerabilities/

https://fortiguard.fortinet.com/psirt/FG-IR-24-302

Details

Source: Mitre, NVD

Published: 2025-02-11

Updated: 2025-02-11

Risk Information

CVSS v2

Base Score: 9

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

Severity: High

CVSS v3

Base Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Severity: High