About the Vulnerability
Introduction
Fortinet FortiOS is a security operating system developed by Fortinet Inc. specifically for the FortiGate platform. This system provides users with a variety of security features, including firewall, antivirus, IPSec/SSL VPN, Web content filtering, and anti-spam.
Summary
On March 12, 2025, Sangfor FarSight Labs received notification that multiple products of Fortinet contains information of Code Execution Vulnerability(CVE-2024-45324), classified as high in threat level.
Unauthorized attackers can exploit externally controlled format strings to execute arbitrary code or commands on the GUI interfaces of FortiOS, FortiProxy, FortiPAM, FortiSRA, and FortiWeb, potentially leading to server compromise.
Affected Versions
7.4.0≤FortiOS 7.4≤7.4.4
7.2.0≤FortiOS7.2≤7.2.9
7.0.0≤FortiOS7.0≤7.0.15
6.4.0≤FortiOS6.4≤6.4.15
6.2.0≤FortiOS<6.3
1.4.0≤FortiPAM1.4≤1.4.2
1.0.0≤FortiPAM≤1.3.1
FortiProxy7.6.0
7.4.0≤FortiProxy7.4≤7.4.6
7.2.0≤FortiProxy7.2≤7.2.12
7.0.0≤FortiProxy7.0≤7.0.19
1.4.0≤FortiSRA1.4≤1.4.2
FortiWeb7.6.0
7.4.0≤FortiWeb7.4≤7.4.5
7.2.0≤FortiWeb7.2≤7.2.10
Solutions
Remediation Solutions
Official Solution
The latest version has been officially released to fix the vulnerability. Affected users are advised to update the FortiOS, FortiProxy, FortiPAM, FortiSRA and FortiWeb to the following versions:
FortiOS 7.4.5
FortiOS 7.2.10
FortiOS 7.0.16
FortiOS 6.4.16
FortiPAM 1.4.3
FortiPAM 1.3.2
FortiProxy 7.6.1
FortiProxy 7.4.7
FortiProxy 7.2.13
FortiProxy 7.0.20
FortiSRA 1.4.3
FortiWeb 7.6.1
FortiWeb 7.4.6
FortiWeb 7.2.11
FortiWeb 7.0.11
Download link: https://docs.fortinet.com/upgrade-tool
Timeline
On March 12, 2025, Sangfor FarSight Labs received notification of Fortinet Multi-product Front Desk Remote Code Execution Vulnerability.
On March 12, 2025, Sangfor FarSight Labs released a vulnerability alert.
