CVE-2024-46670: 
FortiOS vulnerability analysis and mitigation

CVE-2024-46670 is an Out-of-bounds Read vulnerability affecting FortiOS and FortiSASE FortiOS tenant IPsec IKE service. The vulnerability was discovered in January 2025 and affects FortiOS version 7.6.0, version 7.4.4 and below, version 7.2.9 and below, and FortiSASE FortiOS tenant version 24.3.b. This security flaw was reported by n3k & Yue Liu from TIANGONG Team of Legendsec at QI-ANXIN Group (Fortinet Advisory).

The vulnerability is classified as an Out-of-bounds Read (CWE-125) issue in the IPsec IKE service. It has been assigned a CVSS v3.1 Base Score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating network accessibility, low attack complexity, and no required privileges or user interaction (NVD).

When exploited, this vulnerability allows an unauthenticated remote attacker to trigger memory consumption leading to Denial of Service through crafted requests to the affected systems (Fortinet Advisory).

Fortinet has released patches to address this vulnerability. Users should upgrade to FortiOS version 7.6.1 or above for 7.6 branch, version 7.4.5 or above for 7.4 branch, and version 7.2.10 or above for 7.2 branch. FortiSASE customers using version 24.3.c have already been remediated. Additionally, a virtual patch named 'FG-VD-10007169.0day' is available in FMWP db update 24.111 (Fortinet Advisory).