CVE-2024-32116
📋 TL;DR
This vulnerability allows privileged attackers to delete arbitrary files from the underlying filesystem via crafted CLI requests in affected Fortinet products. It affects FortiManager, FortiAnalyzer, and FortiAnalyzer-BigData systems running vulnerable versions. Attackers with administrative CLI access can exploit relative path traversal flaws to delete critical system files.
💻 Affected Systems
- FortiManager
- FortiAnalyzer
- FortiAnalyzer-BigData
📦 What is this software?
Fortianalyzer by Fortinet
Fortianalyzer by Fortinet
Fortimanager by Fortinet
Fortimanager by Fortinet
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through deletion of critical operating system files, configuration files, or security controls leading to denial of service or privilege escalation.
Likely Case
Unauthorized deletion of configuration files, logs, or application data causing service disruption, data loss, or operational impact.
If Mitigated
Limited impact with proper access controls and monitoring, though file deletion could still occur if attacker gains privileged CLI access.
🎯 Exploit Status
Exploitation requires administrative CLI credentials; no public exploit code available as of advisory publication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: FortiManager 7.4.3 or 7.2.5; FortiAnalyzer 7.4.3 or 7.2.5; FortiAnalyzer-BigData 7.2.7
Vendor Advisory: https://fortiguard.fortinet.com/psirt/FG-IR-24-099
Restart Required: Yes
Instructions:
1. Backup configuration and data. 2. Download appropriate firmware from Fortinet support portal. 3. Upload firmware to device via GUI or CLI. 4. Install update following vendor documentation. 5. Reboot device after installation completes.
🔧 Temporary Workarounds
Restrict CLI Access
allLimit administrative CLI access to trusted users only and implement strong authentication controls.
config system admin
edit <admin_user>
set accprofile "restricted_profile"
set trusthost1 <trusted_ip>
end
Implement Network Segmentation
allIsolate management interfaces from untrusted networks and implement strict firewall rules.
🧯 If You Can't Patch
- Implement strict access controls and monitor all CLI sessions for suspicious file deletion commands.
- Deploy file integrity monitoring to detect unauthorized file deletions and maintain comprehensive backups.
🔍 How to Verify
Check if Vulnerable:
Check system version via CLI: 'get system status' and compare with affected versions list.Check Version:
get system status | grep VersionVerify Fix Applied:
Verify installed version is equal to or greater than patched versions: FortiManager 7.4.3/7.2.5, FortiAnalyzer 7.4.3/7.2.5, FortiAnalyzer-BigData 7.2.7.📡 Detection & Monitoring
Log Indicators:
- CLI session logs showing file deletion commands with path traversal patterns (../ sequences)
- System logs showing unexpected file deletions or permission errors
Network Indicators:
- Unusual CLI traffic patterns from non-standard sources
- Multiple failed authentication attempts followed by successful CLI access
SIEM Query:
source="fortinet" AND (event_type="cli_command" AND command="delete" AND path="*../*") OR (event_type="file_deletion" AND user="admin")