CVE-2024-40591 — Incorrect Privilege Assignment in Fortinet Fortios

CWE-266 — Incorrect Privilege Assignment4 documents4 sources

Severity

7.2HIGHNVD

CNA8.8

EPSS

0.1%

top 76.47%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortios

Timeline

PublishedFeb 11

Description

An incorrect privilege assignment vulnerability [CWE-266] in Fortinet FortiOS version 7.6.0, 7.4.0 through 7.4.4, 7.2.0 through 7.2.9 and before 7.0.15 allows an authenticated admin whose access profile has the Security Fabric permission to escalate their privileges to super-admin by connecting the targetted FortiGate to a malicious upstream FortiGate they control.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages2 packages

▶NVDfortinet/fortios6.4.0 — 6.4.16+4

▶CVEListV5fortinet/fortios7.4.0 — 7.4.4+4

🔴Vulnerability Details

GHSA

GHSA-hmpg-p67j-959p: An incorrect privilege assignment vulnerability [CWE-266] in Fortinet FortiOS version 7↗2025-02-11

▶

CVEList

CVE-2024-40591: An incorrect privilege assignment vulnerability [CWE-266] in Fortinet FortiOS version 7↗2025-02-11

▶

📋Vendor Advisories

Fortinet

Permission escalation due to an Improper Privilege Management↗2025-02-11

▶