CVE-2024-40588: 
Fortimail vulnerability analysis and mitigation

Multiple relative path traversal vulnerabilities [CWE-23] were discovered in various Fortinet products including FortiMail, FortiVoice, FortiRecorder, FortiCamera & FortiNDR. The vulnerability was assigned CVE-2024-40588 and was discovered internally by Théo Leleu of the Fortinet Product Security team. The issue was initially published on August 12, 2025, with an update following on August 13, 2025 (Fortinet PSIRT).

The vulnerability allows a privileged attacker to read files from the underlying filesystem via crafted CLI requests. The issue has been classified with a CVSSv3 Score of 4.2 (Medium severity) and primarily impacts the CLI component of affected systems. The vulnerability is characterized as an improper access control issue (Fortinet PSIRT).

The vulnerability enables unauthorized file reading from the underlying filesystem, potentially exposing sensitive system information to privileged attackers. This improper access control vulnerability could lead to information disclosure and potential system compromise (Fortinet PSIRT).

Fortinet has released various fixes for affected products: FortiMail users should upgrade to version 7.6.2 or above (for 7.6.x branch) or 7.4.4 or above (for 7.4.x branch). FortiNDR users should upgrade to version 7.6.2 or above (for 7.6.x branch) or 7.4.7 or above (for 7.4.x branch). FortiRecorder users should upgrade to version 7.2.2 or above (for 7.2.x branch) or 7.0.5 or above (for 7.0.x branch). FortiVoice users should upgrade to version 7.0.5 or above (for 7.0.x branch) or 6.4.10 or above (for 6.4.x branch) (Fortinet PSIRT).