CVE-2024-40591

Published: Feb 11, 2025Modified: Jul 17, 2025

7.2

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.2 / Impact: 5.9

Source: NVD

Description

An incorrect privilege assignment vulnerability [CWE-266] in Fortinet FortiOS version 7.6.0, 7.4.0 through 7.4.4, 7.2.0 through 7.2.9 and before 7.0.15 allows an authenticated admin whose access profile has the Security Fabric permission to escalate their privileges to super-admin by connecting the targetted FortiGate to a malicious upstream FortiGate they control.

Affected (5)

Products: Fortinet: Fortios

Fortinet

1 product

Fortios

Configuration A

5 vulnerable

Vulnerable Software	Affected Versions
Fortinet Fortios	From 6.4.0 to 6.4.16
Fortinet Fortios	From 7.0.0 to 7.0.16
Fortinet Fortios	From 7.2.0 to 7.2.10
Fortinet Fortios	From 7.4.0 to 7.4.5
Fortinet Fortios	Version 7.6.0

Related CWEs

CWE-266

Incorrect Privilege Assignment

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

References (1)

https://fortiguard.fortinet.com/psirt/FG-IR-24-302

Source: psirt@fortinet.com

Vendor Advisory

Timeline

No history available yet.