What is the severity of CVE-2024-40591?

CVE-2024-40591 is classified as a high severity vulnerability due to the potential for privilege escalation.

How do I fix CVE-2024-40591?

To address CVE-2024-40591, update Fortinet FortiOS to version 7.4.5 or later, 7.3.0 or later, or 7.0.15 or later.

Who is affected by CVE-2024-40591?

CVE-2024-40591 affects users of Fortinet FortiOS versions 7.6.0, 7.4.0 through 7.4.4, 7.2.0 through 7.2.9, and versions before 7.0.15.

What type of vulnerability is CVE-2024-40591?

CVE-2024-40591 is an incorrect privilege assignment vulnerability, allowing unauthorized privilege escalation.

What is the impact of exploiting CVE-2024-40591?

Exploitation of CVE-2024-40591 allows an authenticated admin to escalate their privileges to super-admin status, potentially compromising system security.

Vulnerability/
CVE-2024-40591

Exploited

high

8.8

CWE

266

11/2/2025

14/2/2025

CVE-2024-40591: Permission escalation due to an Improper Privilege Management

First published: Tue Feb 11 2025(Updated: )

An incorrect privilege assignment vulnerability [CWE-266] in Fortinet FortiOS version 7.6.0, 7.4.0 through 7.4.4, 7.2.0 through 7.2.9 and before 7.0.15 allows an authenticated admin whose access profile has the Security Fabric permission to escalate their privileges to super-admin by connecting the targetted FortiGate to a malicious upstream FortiGate they control.

Credit: psirt@fortinet.com

Affected Software	Affected Version	How to fix
Fortinet FortiOS IPS Engine	>=7.4.0<7.4.5>=7.2.0<7.3.0<7.0.15
Fortinet FortiOS IPS Engine	=.
Fortinet FortiOS IPS Engine	>=7.4.0<=7.4.4
Fortinet FortiOS IPS Engine	>=7.2.0<=7.2.9
Fortinet FortiOS IPS Engine	>=7.0.0<=7.0.15
Fortinet FortiOS IPS Engine	>=6.4

Remedy

Please upgrade to FortiOS version 7.6.1 or above Please upgrade to FortiOS version 7.4.5 or above Please upgrade to FortiOS version 7.2.10 or above Please upgrade to FortiOS version 7.0.16 or above

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2024-40591?
CVE-2024-40591 is classified as a high severity vulnerability due to the potential for privilege escalation.
How do I fix CVE-2024-40591?
To address CVE-2024-40591, update Fortinet FortiOS to version 7.4.5 or later, 7.3.0 or later, or 7.0.15 or later.
Who is affected by CVE-2024-40591?
CVE-2024-40591 affects users of Fortinet FortiOS versions 7.6.0, 7.4.0 through 7.4.4, 7.2.0 through 7.2.9, and versions before 7.0.15.
What type of vulnerability is CVE-2024-40591?
CVE-2024-40591 is an incorrect privilege assignment vulnerability, allowing unauthorized privilege escalation.
What is the impact of exploiting CVE-2024-40591?
Exploitation of CVE-2024-40591 allows an authenticated admin to escalate their privileges to super-admin status, potentially compromising system security.

agent/remedy
agent/weakness
agent/type
collector/fortiguard-psirt-latest
source/FortiGuard
alias/CVE-2024-40591
agent/first-publish-date
agent/title
agent/softwarecombine
agent/description
collector/nvd-api
source/NVD
agent/author
collector/mitre-cve
source/MITRE
agent/last-modified-date
collector/the-register
source/The Register
agent/references
agent/source
agent/severity
agent/trending
agent/tags
agent/news-ai
exploited/true
agent/event
agent/guess-ai
agent/software-canonical-lookup
agent/software-canonical-lookup-request
collector/fortiguard-psirt
vendor/fortinet
canonical/fortinet fortios ips engine
version/fortinet fortios ips engine/.
version/fortinet fortios ips engine/7.4.0
version/fortinet fortios ips engine/7.4.4
version/fortinet fortios ips engine/7.2.0
version/fortinet fortios ips engine/7.2.9
version/fortinet fortios ips engine/7.0.0
version/fortinet fortios ips engine/7.0.15
version/fortinet fortios ips engine/6.4