CVE-2024-32116: 
Fortinet FortiManager vulnerability analysis and mitigation

Multiple relative path traversal vulnerabilities [CWE-23] affect Fortinet's security management products including FortiManager (versions 7.4.0-7.4.2 and before 7.2.5), FortiAnalyzer (versions 7.4.0-7.4.2 and before 7.2.5), and FortiAnalyzer-BigData (version 7.4.0 and before 7.2.7). The vulnerability was discovered internally by Theo Leleu of Fortinet's product security team and was disclosed on November 12, 2024 (Fortinet Advisory).

The vulnerability is classified as a relative path traversal issue (CWE-23) that allows privileged attackers to delete files from the underlying filesystem through crafted CLI requests. The vulnerability has received a CVSS v3.1 base score of 6.0 (Medium) from NIST with a vector string of CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H, indicating local access requirements and high privileges needed for exploitation (NVD).

If exploited, this vulnerability allows privileged attackers to delete files from the underlying filesystem, potentially affecting system integrity and availability. The CVSS scoring indicates high potential impact on both integrity and availability of the affected systems (NVD).

Fortinet has released fixes for affected products. Users should upgrade FortiManager and FortiAnalyzer to version 7.4.3 or above for 7.4.x branch, or 7.2.6 or above for 7.2.x branch. FortiAnalyzer-BigData users should upgrade to version 7.4.1 or above for 7.4.x branch, or 7.2.8 or above for 7.2.x branch. Users on versions 7.0 and earlier should migrate to a fixed release (Fortinet Advisory).