CVE-2024-40591

CVE Database · CVE-2024-40591

CVE-2024-40591

· HIGHAnalyzed

CVSS v3.1

8.8

EPSS

0.57%

Published

Feb 11, 2025

Modified

Jul 17, 2025

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

An incorrect privilege assignment vulnerability [CWE-266] in Fortinet FortiOS version 7.6.0, 7.4.0 through 7.4.4, 7.2.0 through 7.2.9 and before 7.0.15 allows an authenticated admin whose access profile has the Security Fabric permission to escalate their privileges to super-admin by connecting the targetted FortiGate to a malicious upstream FortiGate they control.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-266

Affected Products (5)

fortinet · fortios (up to 6.4.16)vulnerable

fortinet · fortios (up to 7.0.16)vulnerable

fortinet · fortios (up to 7.2.10)vulnerable

fortinet · fortios (up to 7.4.5)vulnerable

fortinet · fortiosvulnerable

References (1)

https://fortiguard.fortinet.com/psirt/FG-IR-24-302

Vendor Advisory

KEV Catalog EPSS Scores Vendors All CVEs