CVE-2024-33503: 
Fortinet FortiManager vulnerability analysis and mitigation

An improper privilege management vulnerability (CVE-2024-33503) was discovered in Fortinet FortiManager and FortiAnalyzer products. The vulnerability was identified on January 14, 2025, affecting multiple versions of FortiManager and FortiAnalyzer, including both on-premises and cloud deployments. The affected versions include FortiManager and FortiAnalyzer versions 7.4.0 through 7.4.3, 7.2.0 through 7.2.5, 7.0.x, and 6.4.x. The vulnerability was internally discovered by Gwendal Guégniaud of the Fortinet Product Security Team (Fortinet Advisory).

The vulnerability is classified as an improper privilege management issue (CWE-269) that could allow privilege escalation through specific shell commands by exploiting incorrect filesystem permissions. The National Vulnerability Database assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, while Fortinet assessed it with a CVSS score of 6.7 (MEDIUM) with the vector string CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability allows local attackers to escalate their privileges by exploiting incorrect filesystem permissions. This could potentially lead to unauthorized access to system resources and compromise of system security (Fortinet Advisory).

Fortinet has released security patches to address this vulnerability. Users are advised to upgrade to the following versions: FortiManager/FortiAnalyzer 7.4.4 or above for 7.4.x versions, FortiManager/FortiAnalyzer 7.2.6 or above for 7.2.x versions. For versions 7.0.x and 6.4.x, users should migrate to a fixed release. Cloud versions have similar upgrade paths with FortiAnalyzer Cloud users advised to upgrade to 7.4.3 or above for 7.4.x versions, and 7.2.7 or above for 7.2.x versions (Fortinet Advisory).