CVE-2024-40591

Name of the Vulnerable Software and Affected Versions: FortiOS versions 7.6.0, 7.4.0 through 7.4.4, 7.2.0 through 7.2.9, and prior to 7.0.15 FortiOS versions 6.4.x

Description: The issue is related to an incorrect privilege assignment in FortiOS, allowing an authenticated admin with the Security Fabric permission to escalate their privileges to super-admin. This can be achieved by connecting the targeted FortiGate to a malicious upstream FortiGate controlled by the attacker.

Recommendations: For FortiOS versions 7.6.0, 7.4.0 through 7.4.4, 7.2.0 through 7.2.9, and prior to 7.0.15, update to a version that contains a fix for this issue. For FortiOS versions 6.4.x, update to a version that contains a fix for this issue. As a temporary workaround, consider restricting access to the Security Fabric permission to minimize the risk of exploitation.