CVE-2024-40584: 
Fortinet FortiManager vulnerability analysis and mitigation

CVE-2024-40584 is an OS Command Injection vulnerability discovered in multiple Fortinet products. The vulnerability affects the GUI components of FortiAnalyzer, FortiManager, FortiAnalyzer BigData, FortiAnalyzer Cloud, and FortiManager Cloud across various versions. It was internally discovered by Theo Leleu of Fortinet Product Security team and publicly disclosed on February 11, 2025 (Fortinet PSIRT).

The vulnerability is classified as an improper neutralization of special elements used in an OS command (CWE-78). It allows an authenticated privileged attacker to execute unauthorized code or commands via crafted HTTPS or HTTP requests. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.2 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (NVD).

The successful exploitation of this vulnerability could lead to escalation of privilege, allowing attackers to execute unauthorized code or commands on affected systems. This could potentially compromise the confidentiality, integrity, and availability of the affected systems (Fortinet PSIRT).

Fortinet has released patches for affected versions and recommends users to upgrade to the fixed versions: FortiAnalyzer 7.4.4 or above for 7.4.x versions, FortiAnalyzer 7.2.6 or above for 7.2.x versions, and similar upgrade paths for other affected products. For versions 7.0.x, 6.4.x, and 6.2.x, users are advised to migrate to a fixed release (Fortinet PSIRT).