FG-IR-24-325: Multiple format string vulnerabilities
First published: Tue Mar 11 2025(Updated: )
A use of externally-controlled format string vulnerability [CWE-134] in FortiOS, FortiProxy, FortiPAM, FortiSRA and FortiWeb may allow a privileged attacker to execute unauthorized code or commands via specially crafted HTTP or HTTPS commands.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Fortinet FortiOS IPS Engine | >=7.4.0<=7.4.4 | |
| Fortinet FortiOS IPS Engine | >=7.2.0<=7.2.9 | |
| Fortinet FortiOS IPS Engine | >=7.0.0<=7.0.15 | |
| Fortinet FortiOS IPS Engine | >=6.4.0<=6.4.15 | |
| Fortinet FortiOS IPS Engine | >=6.2 | |
| FortiGuard FortiPAM | >=1.4.0<=1.4.2 | |
| FortiGuard FortiPAM | >=1.3.0<=1.3.1 | |
| FortiGuard FortiPAM | >=1.2 | |
| FortiGuard FortiPAM | >=1.1 | |
| FortiGuard FortiPAM | >=1.0 | |
| Fortinet FortiProxy | =. | |
| Fortinet FortiProxy | >=7.4.0<=7.4.6 | |
| Fortinet FortiProxy | >=7.2.0<=7.2.12 | |
| Fortinet FortiProxy | >=7.0.0<=7.0.19 | |
| Fortinet FortiSRA | >=1.4.0<=1.4.2 | |
| Fortinet FortiWeb | =. | |
| Fortinet FortiWeb | >=7.4.0<=7.4.5 | |
| Fortinet FortiWeb | >=7.2.0<=7.2.10 | |
| Fortinet FortiWeb | >=7.0.0<=7.0.10 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of FG-IR-24-325?
The severity of FG-IR-24-325 is critical due to the potential for unauthorized code execution.
How do I fix FG-IR-24-325?
To mitigate FG-IR-24-325, update to the recommended versions of affected products as specified by Fortinet.
Which products are affected by FG-IR-24-325?
FG-IR-24-325 affects FortiOS, FortiProxy, FortiPAM, FortiSRA, and FortiWeb versions prior to their respective remedies.
Who can exploit FG-IR-24-325?
FG-IR-24-325 can be exploited by a privileged attacker through specially crafted HTTP or HTTPS commands.
What kind of vulnerability is FG-IR-24-325?
FG-IR-24-325 is defined as a use of externally-controlled format string vulnerability, classified as CWE-134.
- collector/fortiguard-psirt-latest
- source/FortiGuard
- alias/CVE-2024-45324
- agent/last-modified-date
- agent/references
- agent/title
- agent/source
- agent/softwarecombine
- agent/tags
- agent/severity
- agent/description
- agent/first-publish-date
- agent/type
- agent/event
- collector/fortiguard-psirt
- agent/software-canonical-lookup
- vendor/fortinet
- canonical/fortinet fortios ips engine
- version/fortinet fortios ips engine/7.4.0
- version/fortinet fortios ips engine/7.4.4
- version/fortinet fortios ips engine/7.2.0
- version/fortinet fortios ips engine/7.2.9
- version/fortinet fortios ips engine/7.0.0
- version/fortinet fortios ips engine/7.0.15
- version/fortinet fortios ips engine/6.4.0
- version/fortinet fortios ips engine/6.4.15
- version/fortinet fortios ips engine/6.2
- canonical/fortiguard fortipam
- version/fortiguard fortipam/1.4.0
- version/fortiguard fortipam/1.4.2
- version/fortiguard fortipam/1.3.0
- version/fortiguard fortipam/1.3.1
- version/fortiguard fortipam/1.2
- version/fortiguard fortipam/1.1
- version/fortiguard fortipam/1.0
- canonical/fortinet fortiproxy
- version/fortinet fortiproxy/.
- version/fortinet fortiproxy/7.4.0
- version/fortinet fortiproxy/7.4.6
- version/fortinet fortiproxy/7.2.0
- version/fortinet fortiproxy/7.2.12
- version/fortinet fortiproxy/7.0.0
- version/fortinet fortiproxy/7.0.19
- canonical/fortinet fortisra
- version/fortinet fortisra/1.4.0
- version/fortinet fortisra/1.4.2
- canonical/fortinet fortiweb
- version/fortinet fortiweb/.
- version/fortinet fortiweb/7.4.0
- version/fortinet fortiweb/7.4.5
- version/fortinet fortiweb/7.2.0
- version/fortinet fortiweb/7.2.10
- version/fortinet fortiweb/7.0.0
- version/fortinet fortiweb/7.0.10