Fortinet has released a security update addressing a severe vulnerability in FortiManager that could be exploited by remote attackers to execute unauthorized code. This flaw, identified as an OS command injection vulnerability (CVE-2024-48889), affects multiple versions of FortiManager and FortiAnalyzer models with specific configurations enabled.
The vulnerability could allow an authenticated remote attacker to execute arbitrary OS commands, compromising the affected system’s security. The flaw has been rated with a CVSSv3 score of 7.2, classifying it as high severity, with potential impacts including unauthorized code execution.
Affected Versions and Solutions:
- FortiManager 7.6: Affected versions 7.6.0 — Upgrade to 7.6.1 or higher
- FortiManager 7.4: Affected versions 7.4.0 to 7.4.4 — Upgrade to 7.4.5 or higher
- FortiManager 7.2: Affected versions 7.2.3 to 7.2.7 — Upgrade to 7.2.8 or higher
- FortiManager 7.0: Affected versions 7.0.5 to 7.0.12 — Upgrade to 7.0.13 or higher
- FortiManager 6.4: Affected versions 6.4.10 to 6.4.14 — Upgrade to 6.4.15 or higher
- FortiAnalyzer Models: 1000E, 1000F, 2000E, 3000E, 3000F, 3000G, 3500E, 3500F, 3500G, 3700F, 3700G, 3900E (if FMG-status is enabled) — Apply the necessary updates to mitigate the vulnerability
Fortinet strongly urges all users and administrators to review the security bulletin and update their systems immediately to mitigate the risks associated with this vulnerability.
Leave a Comment