CVE-2024-46666: 
FortiOS vulnerability analysis and mitigation

An allocation of resources without limits or throttling vulnerability (CVE-2024-46666) was discovered in FortiOS that affects multiple versions including 7.6.0, versions 7.4.4 through 7.4.0, 7.2 all versions, 7.0 all versions, and 6.4 all versions. The vulnerability was initially disclosed on January 14, 2025, and was discovered by Ben Barnea from Akamai under responsible disclosure (Fortinet PSIRT).

The vulnerability is classified as CWE-770 (Allocation of Resources Without Limits or Throttling) and affects the GUI component of FortiOS. It has been assigned a CVSS v3.1 base score of 5.3 (Medium severity) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L. The vulnerability allows specially crafted requests directed at specific endpoints to cause resource allocation issues (NVD).

The primary impact of this vulnerability is a denial of service condition, specifically preventing access to the GUI interface. The vulnerability allows a remote unauthenticated attacker to disrupt normal system operations through resource exhaustion (Fortinet PSIRT).

Fortinet has released patches for affected versions. Users should upgrade to the following versions: FortiOS 7.6.1 or above for 7.6 branch, 7.4.5 or above for 7.4 branch, and 7.2.9 or above for 7.2 branch. Users of FortiOS 7.0 and 6.4 all versions should migrate to a fixed release. Fortinet provides an upgrade path tool at their documentation site for guidance (Fortinet PSIRT).

The vulnerability has gained attention in the cybersecurity community, particularly being highlighted alongside other Fortinet vulnerabilities discovered by Akamai researchers. The disclosure was part of a broader security update that included multiple vulnerability fixes (Hacker News).