CVE-2024-40591
📋 TL;DR
This vulnerability allows authenticated administrators with Security Fabric permission to escalate their privileges to super-admin by connecting their FortiGate device to a malicious upstream FortiGate they control. This affects Fortinet FortiOS versions 7.6.0, 7.4.0-7.4.4, 7.2.0-7.2.9, and versions before 7.0.15. Attackers need both admin access and control of an upstream FortiGate device.
💻 Affected Systems
- Fortinet FortiOS
📦 What is this software?
Fortios by Fortinet
Fortios by Fortinet
Fortios by Fortinet
Fortios by Fortinet
Fortios by Fortinet
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the FortiGate device with super-admin privileges, allowing full control over firewall rules, VPN configurations, user accounts, and potentially lateral movement to connected networks.
Likely Case
Privileged admin users could gain unauthorized super-admin access, potentially modifying security policies, bypassing controls, or exfiltrating sensitive configuration data.
If Mitigated
Limited impact if proper access controls restrict Security Fabric permissions and monitor FortiGate connections to trusted upstream devices only.
🎯 Exploit Status
Exploitation requires authenticated admin access with specific permissions and control of an upstream FortiGate device.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.6.1, 7.4.5, 7.2.10, 7.0.15 and later
Vendor Advisory: https://fortiguard.fortinet.com/psirt/FG-IR-24-302
Restart Required: No
Instructions:
1. Log into FortiGate admin interface. 2. Navigate to System > Firmware. 3. Download and install the patched version for your device. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Restrict Security Fabric Permissions
allRemove Security Fabric permission from admin profiles that don't require it.
config system accprofile
edit [profile_name]
unset secfabgrp
next
end
Control FortiGate Connections
allOnly allow connections to trusted, verified upstream FortiGate devices.
🧯 If You Can't Patch
- Implement strict access controls and monitor admin accounts with Security Fabric permission.
- Audit and restrict connections to upstream FortiGate devices to only trusted, verified sources.
🔍 How to Verify
Check if Vulnerable:
Check FortiOS version via CLI: 'get system status' and compare against affected versions.Check Version:
get system status | grep VersionVerify Fix Applied:
Verify version is 7.6.1, 7.4.5, 7.2.10, 7.0.15 or later using 'get system status' command.📡 Detection & Monitoring
Log Indicators:
- Unexpected Security Fabric connections
- Admin privilege escalation events
- Unauthorized configuration changes
Network Indicators:
- Connections to unfamiliar FortiGate IP addresses on Security Fabric ports
SIEM Query:
source="fortigate" AND (event_type="admin_login" OR event_type="config_change") AND user_privilege_changed="true"