CVE-2024-45324: Multiple format string vulnerabilities
First published: Tue Mar 11 2025(Updated: )
A use of externally-controlled format string vulnerability [CWE-134] in FortiOS version 7.4.0 through 7.4.4, version 7.2.0 through 7.2.9, version 7.0.0 through 7.0.15 and before 6.4.15, FortiProxy version 7.4.0 through 7.4.6, version 7.2.0 through 7.2.12 and before 7.0.19, FortiPAM version 1.4.0 through 1.4.2 and before 1.3.1, FortiSRA version 1.4.0 through 1.4.2 and before 1.3.1 and FortiWeb version 7.4.0 through 7.4.5, version 7.2.0 through 7.2.10 and before 7.0.10 allows a privileged attacker to execute unauthorized code or commands via specially crafted HTTP or HTTPS commands.
Credit: psirt@fortinet.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Fortinet FortiOS IPS Engine | >=7.4.0<=7.4.4>=7.2.0<=7.2.9>=7.0.0<=7.0.15<6.4.15 | |
| Fortinet FortiProxy | >=7.4.0<=7.4.6>=7.2.0<=7.2.12<7.0.19 | |
| FortiGuard FortiPAM | >=1.4.0<=1.4.2<1.3.1 | |
| >=1.4.0<=1.4.2<1.3.1 | ||
| Fortinet FortiWeb | >=7.4.0<=7.4.5>=7.2.0<=7.2.10<7.0.10 | |
| Fortinet FortiOS IPS Engine | >=7.4.0<=7.4.4 | |
| Fortinet FortiOS IPS Engine | >=7.2.0<=7.2.9 | |
| Fortinet FortiOS IPS Engine | >=7.0.0<=7.0.15 | |
| Fortinet FortiOS IPS Engine | >=6.4.0<=6.4.15 | |
| Fortinet FortiOS IPS Engine | >=6.2 | |
| FortiGuard FortiPAM | >=1.4.0<=1.4.2 | |
| FortiGuard FortiPAM | >=1.3.0<=1.3.1 | |
| FortiGuard FortiPAM | >=1.2 | |
| FortiGuard FortiPAM | >=1.1 | |
| FortiGuard FortiPAM | >=1.0 | |
| Fortinet FortiProxy | =. | |
| Fortinet FortiProxy | >=7.4.0<=7.4.6 | |
| Fortinet FortiProxy | >=7.2.0<=7.2.12 | |
| Fortinet FortiProxy | >=7.0.0<=7.0.19 | |
| Fortinet FortiSRA | >=1.4.0<=1.4.2 | |
| Fortinet FortiWeb | =. | |
| Fortinet FortiWeb | >=7.4.0<=7.4.5 | |
| Fortinet FortiWeb | >=7.2.0<=7.2.10 | |
| Fortinet FortiWeb | >=7.0.0<=7.0.10 |
Remedy
Please upgrade to FortiPAM version 1.5.0 or above Please upgrade to FortiPAM version 1.4.3 or above Please upgrade to FortiPAM version 1.3.2 or above Please upgrade to FortiProxy version 7.6.1 or above Please upgrade to FortiProxy version 7.4.7 or above Please upgrade to FortiProxy version 7.2.13 or above Please upgrade to FortiProxy version 7.0.20 or above Please upgrade to FortiSRA version 1.5.0 or above Please upgrade to FortiSRA version 1.4.3 or above Please upgrade to FortiAuthenticator version 7.0.0 or above Please upgrade to FortiWeb version 7.6.1 or above Please upgrade to FortiWeb version 7.4.6 or above Please upgrade to FortiWeb version 7.2.11 or above Please upgrade to FortiWeb version 7.0.11 or above Please upgrade to FortiOS version 7.6.0 or above Please upgrade to FortiOS version 7.4.5 or above Please upgrade to FortiOS version 7.2.10 or above Please upgrade to FortiOS version 7.0.16 or above Please upgrade to FortiOS version 6.4.16 or above Please upgrade to FortiSASE version 24.4.b1 or above
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2024-45324?
CVE-2024-45324 is classified as a high severity vulnerability due to its potential to allow attackers to exploit the system through controlled format strings.
How do I fix CVE-2024-45324?
To remediate CVE-2024-45324, it is advised to upgrade affected FortiOS and FortiProxy versions to their respective patched versions.
Which versions are affected by CVE-2024-45324?
CVE-2024-45324 affects FortiOS versions from 7.4.0 to 7.4.4, 7.2.0 to 7.2.9, 7.0.0 to 7.0.15, and below 6.4.15 as well as specific FortiProxy and FortiPAM versions.
What types of products are impacted by CVE-2024-45324?
CVE-2024-45324 impacts FortiOS, FortiProxy, FortiPAM, FortiSRA, and FortiWeb products.
Is there an immediate risk if I am using a vulnerable version associated with CVE-2024-45324?
Yes, using a vulnerable version related to CVE-2024-45324 poses an immediate risk of exploitation by malicious actors.
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/type
- agent/weakness
- agent/guess-ai
- agent/software-canonical-lookup
- collector/fortiguard-psirt-latest
- source/FortiGuard
- alias/CVE-2024-45324
- agent/references
- agent/title
- agent/description
- agent/first-publish-date
- collector/fortiguard-psirt
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- agent/last-modified-date
- agent/source
- agent/severity
- agent/author
- agent/tags
- agent/event
- vendor/fortinet
- canonical/fortinet fortios ips engine
- canonical/fortinet fortiproxy
- canonical/fortiguard fortipam
- canonical/fortinet fortiweb
- version/fortinet fortios ips engine/7.4.0
- version/fortinet fortios ips engine/7.4.4
- version/fortinet fortios ips engine/7.2.0
- version/fortinet fortios ips engine/7.2.9
- version/fortinet fortios ips engine/7.0.0
- version/fortinet fortios ips engine/7.0.15
- version/fortinet fortios ips engine/6.4.0
- version/fortinet fortios ips engine/6.4.15
- version/fortinet fortios ips engine/6.2
- version/fortiguard fortipam/1.4.0
- version/fortiguard fortipam/1.4.2
- version/fortiguard fortipam/1.3.0
- version/fortiguard fortipam/1.3.1
- version/fortiguard fortipam/1.2
- version/fortiguard fortipam/1.1
- version/fortiguard fortipam/1.0
- version/fortinet fortiproxy/.
- version/fortinet fortiproxy/7.4.0
- version/fortinet fortiproxy/7.4.6
- version/fortinet fortiproxy/7.2.0
- version/fortinet fortiproxy/7.2.12
- version/fortinet fortiproxy/7.0.0
- version/fortinet fortiproxy/7.0.19
- canonical/fortinet fortisra
- version/fortinet fortisra/1.4.0
- version/fortinet fortisra/1.4.2
- version/fortinet fortiweb/.
- version/fortinet fortiweb/7.4.0
- version/fortinet fortiweb/7.4.5
- version/fortinet fortiweb/7.2.0
- version/fortinet fortiweb/7.2.10
- version/fortinet fortiweb/7.0.0
- version/fortinet fortiweb/7.0.10