CVE-2024-45324 — Use of Externally-Controlled Format String in Fortinet Fortios

CWE-134 — Use of Externally-Controlled Format String4 documents4 sources

Severity

7.2HIGHNVD

EPSS

0.1%

top 70.26%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortios Fortinet Fortipam Fortinet Fortiproxy +2 more

Timeline

PublishedMar 11

Description

A use of externally-controlled format string vulnerability [CWE-134] in FortiOS version 7.4.0 through 7.4.4, version 7.2.0 through 7.2.9, version 7.0.0 through 7.0.15 and before 6.4.15, FortiProxy version 7.4.0 through 7.4.6, version 7.2.0 through 7.2.12 and before 7.0.19, FortiPAM version 1.4.0 through 1.4.2 and before 1.3.1, FortiSRA version 1.4.0 through 1.4.2 and before 1.3.1 and FortiWeb version 7.4.0 through 7.4.5, version 7.2.0 through 7.2.10 and before 7.0.10 allows a privileged attacker…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages10 packages

▶NVDfortinet/fortios6.2.0 — 6.2.17+4

▶NVDfortinet/fortipam1.4.0 — 1.4.3+1

▶NVDfortinet/fortisra1.4.0 — 1.4.3

▶NVDfortinet/fortiweb7.0.0 — 7.0.11+3

▶NVDfortinet/fortiproxy7.0.0 — 7.0.20+3

🔴Vulnerability Details

CVEList

CVE-2024-45324: A use of externally-controlled format string vulnerability [CWE-134] in FortiOS version 7↗2025-03-11

▶

GHSA

GHSA-gffv-9cg4-8hh4: A use of externally-controlled format string vulnerability [CWE-134] in FortiOS version 7↗2025-03-11

▶

📋Vendor Advisories

Fortinet

Multiple format string vulnerabilities↗2025-03-11

▶