CVE-2024-33508: 
FortiClient EMS Analisi e mitigazione delle vulnerabilità

An improper neutralization of special elements used in a command (Command Injection) vulnerability was discovered in Fortinet FortiClientEMS affecting versions 7.2.0 through 7.2.4 and 7.0.0 through 7.0.12. The vulnerability was assigned CVE-2024-33508 and was disclosed on September 10, 2024. This security flaw impacts the DAS component of FortiClientEMS, including both standard and cloud deployments (Fortinet Advisory).

The vulnerability is classified as CWE-77 (Improper Neutralization of Special Elements used in a Command) with a CVSS v3.1 base score of 7.3 (HIGH). The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N). The scope is unchanged (S:U) with low impacts on confidentiality (C:L), integrity (I:L), and availability (A:L) (NVD).

The vulnerability allows an unauthenticated attacker to execute limited and temporary operations on the underlying database via crafted requests. The impact is rated as low across confidentiality, integrity, and availability aspects of the system (Fortinet Advisory).

Fortinet has released patches to address this vulnerability. Users of FortiClientEMS 7.2.x should upgrade to version 7.2.5 or above, while users of version 7.0.x should upgrade to 7.0.13 or above. For FortiSASE customers, Fortinet has remediated this issue in version 24.2.c with no action required from customers (Fortinet Advisory).

The vulnerability was responsibly disclosed by ANSSI to Fortinet, demonstrating effective coordination between security researchers and vendors (Fortinet Advisory).