CVE-2024-35273 – This vulnerability allows attackers to execute ... (How to Fix)

Q: What is the severity of CVE-2024-35273?

CVE-2024-35273 has a CVSS score of 7.2 (HIGH). This vulnerability allows attackers to execute arbitrary code with elevated privileges on Fortinet FortiManager and FortiAnalyzer systems through specially crafted HTTP requests. It affects organizations using these products for network management and log analysis. Successful exploitation could lead to complete system compromise.

📋 TL;DR

This vulnerability allows attackers to execute arbitrary code with elevated privileges on Fortinet FortiManager and FortiAnalyzer systems through specially crafted HTTP requests. It affects organizations using these products for network management and log analysis. Successful exploitation could lead to complete system compromise.

💻 Affected Systems

Products:

Fortinet FortiManager
Fortinet FortiAnalyzer

Versions: 7.4.0 through 7.4.2

Operating Systems: FortiOS-based appliances

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments running affected versions are vulnerable regardless of configuration.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system takeover with administrative privileges, allowing attacker to modify configurations, access sensitive data, and pivot to other network segments.

🟠

Likely Case

Privilege escalation leading to unauthorized administrative access, configuration changes, and potential data exfiltration.

🟢

If Mitigated

Limited impact due to network segmentation, strict access controls, and monitoring preventing successful exploitation.

🌐 Internet-Facing: HIGH - HTTP-based attack vector makes internet-facing instances particularly vulnerable to remote exploitation.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this vulnerability to escalate privileges.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires crafting specific HTTP requests to trigger the out-of-bounds write condition.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: FortiManager 7.4.3 or above, FortiAnalyzer 7.4.3 or above

Vendor Advisory: https://fortiguard.fortinet.com/psirt/FG-IR-24-106

Restart Required: No

Instructions:

1. Log into Fortinet support portal. 2. Download FortiManager/FortiAnalyzer version 7.4.3 or later. 3. Upload firmware to device. 4. Install update via System > Maintenance > Firmware. 5. Verify successful upgrade.

🔧 Temporary Workarounds

Restrict HTTP Access

all

Limit HTTP/HTTPS access to management interfaces to trusted IP addresses only.

config system interface
edit <interface_name>
set allowaccess https ssh ping
end

🧯 If You Can't Patch

Isolate affected systems in separate network segments with strict firewall rules.
Implement additional authentication layers and monitor for suspicious HTTP requests to management interfaces.

🔍 How to Verify

Check if Vulnerable:

Check current firmware version via GUI (System > Dashboard) or CLI (get system status).

Check Version:

get system status | grep Version

Verify Fix Applied:

Confirm firmware version is 7.4.3 or higher and monitor for abnormal HTTP request patterns.

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP requests to management interfaces
Privilege escalation events in system logs
Out-of-bounds memory access warnings

Network Indicators:

HTTP requests with abnormal patterns to FortiManager/FortiAnalyzer ports
Traffic spikes to management interfaces

SIEM Query:

source="fortimanager" OR source="fortianalyzer" AND (http_request CONTAINS "malicious_pattern" OR event_type="privilege_escalation")

📊 Metadata

CVE ID: CVE-2024-35273

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-787

EPSS Score: 0.16% exploit probability (36.3th percentile)

Published: January 14, 2025

Last Updated: January 31, 2025

🔗 References

https://fortiguard.fortinet.com/psirt/FG-IR-24-106 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-35273, you might also want to check these: