Fortinet Addresses Multiple Vulnerabilities in FortiSandbox, FortiOS, & Other Products
Fortinet has released a comprehensive security update addressing numerous vulnerabilities across its product portfolio, with particularly significant issues identified in FortiSandbox, FortiOS, and several other enterprise security solutions.
These vulnerabilities range from medium to high severity and could potentially allow attackers to execute unauthorized commands, access sensitive information, or bypass security controls in affected deployments.
The patches come as part of Fortinet’s ongoing security maintenance coordinated through their Product Security Incident Response Team (PSIRT).
FortiSandbox Vulnerabilities
OS Command vulnerability – CVE-2024-52961
FortiSandbox, Fortinet’s advanced threat detection solution, has been found to contain several concerning security flaws.
Among the most severe is CVE-2024-52961, a high-severity OS command injection vulnerability affecting FortiSandbox versions 5.0.0 through 4.4.3.
This improper neutralization of special elements used in OS commands (CWE-78) could allow attackers to execute arbitrary commands through the virtual machine download feature.
The vulnerability represents a significant security risk as it could potentially lead to unauthorized system access or control.
| Risk Factors | Details |
| Affected Products | FortiSandbox 5.0.0, 4.4.0-4.4.6, 4.2.0-4.2.7, 4.0.0-4.0.5, and all 3.x versions |
| Impact | Execution of unauthorized commands |
| Exploit Prerequisites | Authentication with at least read-only permission |
| CVSS 3.1 Score | Not specified (High severity) |
Incorrect authorization vulnerability – CVE-2024-45328
FortiSandbox suffers from CVE-2024-45328, a high-severity incorrect authorization vulnerability (CWE-863) that might allow low-privileged users to gain unauthorized access to administrative functions in the GUI console. This vulnerability affects multiple versions, including 4.4.6 through 4.2.0.
| Risk Factors | Details |
| Affected Products | FortiSandbox 4.4.6, 4.4.5, 4.4.4, 4.4.3, 4.4.2 and earlier |
| Impact | Execution of elevated CLI commands |
| Exploit Prerequisites | Low-privileged administrator access |
| CVSS 3.1 Score | Not specified (High severity) |
Another notable issue, CVE-2024-54027, involves the use of hardcoded cryptographic keys (CWE-321) for remote backup server password encryption, potentially compromising the confidentiality of backup data.
Format String and SQL Injection Vulnerabilities Across Products
Format String Vulnerability – CVE-2024-45324
A particularly widespread vulnerability is CVE-2024-45324, a high-severity format string vulnerability (CWE-134) affecting multiple product lines including FortiOS, FortiProxy, FortiPAM, FortiSRA, and FortiWeb.
This vulnerability could allow attackers to potentially crash applications or execute code by manipulating externally-controlled format strings. The affected versions span across numerous release branches, including FortiOS 7.4.4 through 7.0.0 and FortiWeb 7.6.0 through 6.3.0.
| Risk Factors | Details |
| Affected Products | FortiOS 7.4.4-7.4.0 and earlier, FortiProxy 7.6.0, 7.4.6-7.4.3 and earlier, FortiPAM 1.4.2-1.3.0, FortiSRA 1.4.2-1.4.0, FortiWeb 7.6.0, 7.4.5-7.4.2 and earlier |
| Impact | unauthorized code or commands |
| Exploit Prerequisites | Privileged access, crafted HTTP/HTTPS commands |
| CVSS 3.1 Score | High severity |
SQL injection vulnerability – CVE-2024-33501 and CVE-2024-54026
Several SQL injection vulnerabilities have also been identified. CVE-2024-33501 presents a medium-severity authenticated SQL injection vulnerability in the command-line interface of FortiAnalyzer and FortiManager products.
| Risk Factors | Details |
| Affected Products | FortiAnalyzer 7.4.0-7.4.2 and before 7.2.5, FortiManager 7.4.0-7.4.2 and before 7.2.5, FortiAnalyzer-BigData 7.4.0 and before 7.2.7 |
| Impact | unauthorized code or commands |
| Exploit Prerequisites | Privileged access with CLI capabilities |
| CVSS 3.1 Score | 4.2 |
Similarly, FortiSandbox is affected by CVE-2024-54026, a medium-severity error-based SQL injection vulnerability in the device deletion feature.
| Risk Factors | Details |
| Affected Products | FortiSandbox 4.4.6, 4.4.5, 4.4.4, 4.4.3, 4.4.2 and earlier |
| Impact | unauthorized code or commands |
| Exploit Prerequisites | Privileged access, crafted HTTP requests |
| CVSS 3.1 Score | Medium severity |
Command Injection and Authorization Issues
OS command injection Vulnerability – CVE-2024-32123 and CVE-2024-54018
The security update also addresses multiple command injection vulnerabilities, including CVE-2024-32123, which affects FortiAnalyzer and FortiManager products.
This medium-severity vulnerability involves improper neutralization of special elements in OS commands, potentially allowing command injection through the CLI.
| Risk Factors | Details |
| Affected Products | FortiManager 7.4.3, 7.4.2, 7.4.1, 7.4.0, 7.2.5 and earlier |
| Impact | unauthorized code or commands |
| Exploit Prerequisites | Privileged access, crafted HTTP requests |
| CVSS 3.1 Score | Medium severity |
FortiSandbox users should be particularly concerned about CVE-2024-54018, another medium-severity OS command injection vulnerability in the administrative interface.
| Risk Factors | Details |
| Affected Products | FortiSandbox 4.4.5, 4.4.4, 4.4.3, 4.4.2, 4.4.1 and earlier |
| Impact | unauthorized code or commands |
| Exploit Prerequisites | Privileged access, crafted HTTP requests |
| CVSS 3.1 Score | Medium severity |
Server-Side Security Vulnerability – CVE-2024-52960
Client-side security enforcement issues have also been discovered, with CVE-2024-52960 affecting FortiSandbox’s virtual machine download feature. This medium-severity vulnerability could undermine server-side security mechanisms if exploited.
| Risk Factors | Details |
| Affected Products | FortiSandbox 5.0.0, 4.4.6, 4.4.5, 4.4.4, 4.4.3 and earlier |
| Impact | unauthorized commands |
| Exploit Prerequisites | Authentication with at least read-only permission |
| CVSS 3.1 Score | Medium severity |
Recommendations for Fortinet Customers
Fortinet strongly recommends customers upgrade to the latest versions of affected products as outlined in the security advisories.
Organizations using FortiOS, FortiSandbox, or other affected products should prioritize these updates based on the severity ratings and their deployment configurations.
Administrators should consult Fortinet’s Upgrade Path Tool for specific upgrade paths. The company continues to emphasize its commitment to security through its dedicated PSIRT process and consistent security patch delivery.
