CVE-2024-54021: 
FortiOS vulnerability analysis and mitigation

An improper neutralization of CRLF sequences in HTTP headers ('http response splitting') vulnerability was discovered in Fortinet FortiOS versions 7.2.0 through 7.6.0 and FortiProxy versions 7.2.0 through 7.4.5. The vulnerability was disclosed on January 14, 2025, and is tracked as CVE-2024-54021. This security flaw allows attackers to execute unauthorized code or commands via crafted HTTP headers (Fortinet Advisory).

The vulnerability is classified as CWE-113 (Improper Neutralization of CRLF Sequences in HTTP Headers). It received a CVSS v3.1 base score of 6.5 MEDIUM from Fortinet, while NIST assigned it a more severe CVSS v3.1 base score of 9.8 CRITICAL with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The vulnerability specifically affects the file filter functionality in the explicit web proxy policy (NVD).

If exploited, this vulnerability allows attackers to bypass the file filter via crafted HTTP headers and potentially execute unauthorized code or commands. The high CVSS score from NIST indicates that successful exploitation could lead to complete system compromise with no special privileges or user interaction required (NVD).

Fortinet has released patches to address this vulnerability. FortiOS users should upgrade to version 7.6.1 or above for 7.6 branch, 7.4.5 or above for 7.4 branch, and 7.2.9 or above for 7.2 branch. FortiProxy users should upgrade to version 7.4.6 or above for 7.4 branch and 7.2.12 or above for 7.2 branch. FortiSASE customers using version 24.3.56 and above are already protected as the issue was remediated in Q3/24 (Fortinet Advisory).