CVE-2024-45324: 
FortiOS vulnerability analysis and mitigation

A use of externally-controlled format string vulnerability (CVE-2024-45324) was discovered in multiple Fortinet products, including FortiOS, FortiProxy, FortiPAM, FortiSRA, and FortiWeb. The vulnerability was initially published on March 11, 2025, and received a High severity rating with a CVSSv3 score of 7.0. This security flaw affects multiple versions of these products, including FortiOS versions 6.2 through 7.4.4, FortiProxy versions 7.0 through 7.6.0, FortiPAM versions 1.0 through 1.4.2, and FortiWeb versions 7.0 through 7.6.0 (Fortinet PSIRT, NVD).

The vulnerability is classified as CWE-134 (Use of Externally-Controlled Format String) and affects the GUI component of the affected Fortinet products. The flaw allows privileged attackers to execute unauthorized code or commands through specially crafted HTTP or HTTPS commands. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.2 HIGH with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility with low attack complexity, though requiring high privileges (Fortinet PSIRT).

If successfully exploited, this vulnerability could allow an attacker with privileged access to execute unauthorized code or commands on affected systems. The high CVSS score reflects the potential for significant impact on the confidentiality, integrity, and availability of the affected systems (Fortinet PSIRT).

Fortinet has released patches for all affected products and versions. Users are advised to upgrade to the following versions: FortiOS to 7.4.5 or above, FortiProxy to 7.4.7 or above, FortiPAM to 1.4.3 or above, FortiSRA to 1.4.3 or above, and FortiWeb to 7.4.6 or above. For older versions, users should migrate to a fixed release. Fortinet provides an upgrade tool at their documentation site to help users follow the recommended upgrade path (Fortinet PSIRT).