CVE-2024-47566
📋 TL;DR
This path traversal vulnerability in Fortinet FortiRecorder allows privileged attackers to delete arbitrary files from the underlying filesystem via crafted CLI requests. It affects FortiRecorder versions 7.2.0 through 7.2.1 and versions before 7.0.4. Attackers with administrative CLI access can exploit this to delete critical system files.
💻 Affected Systems
- Fortinet FortiRecorder
📦 What is this software?
Fortirecorder by Fortinet
Fortirecorder by Fortinet
⚠️ Risk & Real-World Impact
Worst Case
Privileged attacker deletes critical system files, causing system instability, data loss, or complete system compromise through follow-up attacks.
Likely Case
Malicious insider or compromised admin account deletes configuration files, logs, or recorded video data, disrupting surveillance operations.
If Mitigated
Attack limited to authorized administrators who misuse privileges, with audit trails capturing the activity.
🎯 Exploit Status
Exploitation requires administrative CLI access. The vulnerability is in the CLI interface where path traversal allows file deletion.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.0.4 and 7.2.2 or later
Vendor Advisory: https://fortiguard.fortinet.com/psirt/FG-IR-24-401
Restart Required: Yes
Instructions:
1. Log into FortiRecorder web interface. 2. Navigate to System > Dashboard. 3. Check for firmware updates. 4. Download and install version 7.0.4 or 7.2.2+. 5. Reboot the appliance after installation.
🔧 Temporary Workarounds
Restrict CLI Access
allLimit administrative CLI access to trusted personnel only and implement strict access controls.
Monitor CLI Activity
allEnable detailed logging of all CLI commands and monitor for suspicious file deletion attempts.
config log syslogd setting
set status enable
set server <IP>
end
🧯 If You Can't Patch
- Implement strict role-based access control (RBAC) to limit CLI access to essential personnel only.
- Enable comprehensive logging and monitoring of all CLI sessions and file system changes.
🔍 How to Verify
Check if Vulnerable:
Check FortiRecorder version via CLI: 'get system status' or web interface: System > Dashboard > Firmware Version.Check Version:
execute get system status | grep VersionVerify Fix Applied:
Verify version is 7.0.4 or higher for 7.0.x branch, or 7.2.2 or higher for 7.2.x branch.📡 Detection & Monitoring
Log Indicators:
- CLI commands containing file deletion operations with unusual paths
- System logs showing unexpected file deletions
Network Indicators:
- Unusual CLI session patterns from unexpected sources
SIEM Query:
source="fortirecorder" AND (event_type="cli_command" AND command="delete" AND path="../")