CVE-2024-32118: 
Fortinet FortiManager vulnerability analysis and mitigation

Multiple OS Command Injection vulnerabilities (CVE-2024-32118) were discovered in Fortinet products, specifically affecting FortiManager version 7.4.0 through 7.4.2 and before 7.2.5, FortiAnalyzer version 7.4.0 through 7.4.2 and before 7.2.5, and FortiAnalyzer-BigData before 7.4.0. The vulnerability was discovered internally by Théo Leleu of Fortinet's product security team and was publicly disclosed on November 12, 2024 (Fortinet Advisory).

The vulnerability is classified as an improper neutralization of special elements used in an OS command (CWE-78) that exists in the CLI interface of the affected products. The vulnerability has received a CVSS v3.1 base score of 6.7 MEDIUM (Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating a moderate severity level that requires local access and high privileges for exploitation (NVD).

If successfully exploited, this vulnerability allows an authenticated privileged attacker to execute unauthorized code or commands on the affected systems via crafted CLI requests. The impact affects the confidentiality, integrity, and availability of the system, as indicated by the CVSS metrics showing High impact scores for all three security properties (Fortinet Advisory).

Fortinet has released patches to address this vulnerability. Users of FortiManager 7.4.0-7.4.2 should upgrade to version 7.4.3 or above, while those using versions before 7.2.5 should upgrade to 7.2.6 or above. FortiAnalyzer users should follow similar upgrade paths. FortiAnalyzer-BigData users should upgrade to version 7.4.1 or above. Users of older versions are advised to migrate to a fixed release (Fortinet Advisory).