CVE-2024-36508: 
Fortinet FortiManager vulnerability analysis and mitigation

An improper limitation of a pathname to a restricted directory (Path Traversal) vulnerability [CWE-22] was discovered in FortiManager and FortiAnalyzer CLI, identified as CVE-2024-36508. The vulnerability was discovered internally by Wilfried Djettchou of Fortinet Product Security team and publicly disclosed on February 11, 2025. This vulnerability affects multiple versions of FortiManager (versions 6.4-7.4.2) and FortiAnalyzer (versions 6.4-7.4.2) products (Fortinet PSIRT).

The vulnerability has been assigned a CVSS v3 score of 5.9, indicating a medium severity level. The issue exists in the CLI component of both FortiManager and FortiAnalyzer systems, where any authenticated admin user with diagnose privileges can exploit a path traversal vulnerability to delete any file on the system (Fortinet PSIRT).

When exploited, this vulnerability allows authenticated administrators with diagnose privileges to execute unauthorized code or commands through arbitrary file deletion capabilities. The impact extends across the system, potentially affecting system integrity and stability (Fortinet PSIRT).

Fortinet has released patches to address this vulnerability. For FortiManager and FortiAnalyzer version 7.4, users should upgrade to version 7.4.3 or above. For version 7.2, upgrade to version 7.2.6 or above is recommended. Users of versions 7.0 and 6.4 should migrate to a fixed release. Version 7.6 is not affected by this vulnerability (Fortinet PSIRT).