CVE-2024-40591: 
FortiOS vulnerability analysis and mitigation

An incorrect privilege assignment vulnerability (CVE-2024-40591) was discovered in Fortinet FortiOS security fabric. The vulnerability affects multiple versions including FortiOS 7.6.0, 7.4.0 through 7.4.4, 7.2.0 through 7.2.9, and versions before 7.0.15. The issue was internally discovered and reported by Justin Lum from Fortinet's R&D team and was initially published on February 11, 2025 (Fortinet PSIRT).

The vulnerability is classified as an incorrect privilege assignment vulnerability [CWE-266] in the FortiOS security fabric. It has been assigned a CVSS v3.1 base score of 8.8 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and high impact across confidentiality, integrity, and availability (NVD).

The vulnerability allows an authenticated admin with Security Fabric permission to escalate their privileges to super-admin level. This privilege escalation can be achieved by connecting the targeted FortiGate to a malicious upstream FortiGate under the attacker's control (Fortinet PSIRT).

Fortinet has released patches for affected versions and recommends upgrading to the following versions: FortiOS 7.6.1 or above for 7.6.x, FortiOS 7.4.5 or above for 7.4.x, FortiOS 7.2.10 or above for 7.2.x, and FortiOS 7.0.16 or above for 7.0.x. Users on FortiOS 6.4 are advised to migrate to a fixed release. Fortinet provides an upgrade path tool to assist with the update process (Fortinet PSIRT).