CVE-2024-40591 in FortiOSinfo

Summary

by MITRE • 02/11/2025

An incorrect privilege assignment vulnerability [CWE-266] in Fortinet FortiOS version 7.6.0, 7.4.0 through 7.4.4, 7.2.0 through 7.2.9 and before 7.0.15 allows an authenticated admin whose access profile has the Security Fabric permission to escalate their privileges to super-admin by connecting the targetted FortiGate to a malicious upstream FortiGate they control.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/17/2025

This vulnerability represents a critical privilege escalation flaw in Fortinet FortiOS that leverages improper access control mechanisms to allow authenticated administrators to gain super-admin privileges. The issue manifests through an incorrect privilege assignment vulnerability classified as CWE-266, which fundamentally undermines the principle of least privilege in the system's security architecture. The vulnerability affects multiple version ranges including 7.6.0, 7.4.0 through 7.4.4, 7.2.0 through 7.2.9, and versions prior to 7.0.15, indicating this flaw has persisted across several major releases and represents a significant gap in the software's access control implementation.

The technical exploitation mechanism involves an authenticated administrator with Security Fabric permission who can manipulate the connection between a target FortiGate device and a malicious upstream FortiGate they control. This attack vector exploits the trust relationship between FortiGate devices within a security fabric, allowing the malicious actor to manipulate the privilege assignment process during device connection. The vulnerability essentially allows an attacker to bypass the normal privilege escalation controls that should prevent a user from gaining super-admin access without proper authorization. This flaw operates at the network infrastructure level, where the security fabric's trust model is compromised through device-to-device communication manipulation.

The operational impact of this vulnerability is severe as it enables attackers to gain full administrative control over affected FortiGate devices, potentially compromising the entire security infrastructure. Once escalated to super-admin privileges, attackers can modify firewall policies, access sensitive network data, manipulate security settings, and potentially establish persistent backdoors within the network. The vulnerability affects the fundamental security model of FortiOS by allowing privilege escalation through legitimate device connection mechanisms, making it particularly dangerous as it can be exploited through normal administrative workflows. This creates a significant risk for organizations relying on Fortinet's security fabric architecture, as a single compromised administrator account with Security Fabric permission could lead to complete network compromise.

Organizations should implement immediate mitigations including upgrading to patched versions of FortiOS, reviewing and restricting Security Fabric permissions for administrative accounts, and implementing network segmentation to limit the impact of compromised devices. The vulnerability aligns with ATT&CK technique T1078.004 which covers legitimate credentials and T1548.001 for privilege escalation. Network administrators should also monitor for unauthorized device connections and implement strict access controls for security fabric configurations. The incident response plan should include immediate isolation of affected devices and comprehensive security audits to identify potential exploitation attempts. This vulnerability demonstrates the critical importance of proper privilege management and the potential for supply chain attacks through device trust relationships in enterprise security infrastructure.

Responsible

Fortinet

Reservation

07/05/2024

Disclosure

02/11/2025

Moderation

accepted

CPE

ready

EPSS

0.00574

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!