FG-IR-24-397: OS command injection on diagnose feature (GUI)
First published: Tue Apr 08 2025(Updated: )
An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in FortiIsolator may allow a privileged attacker with super-admin profile and CLI access to execute unauthorized code via specifically crafted HTTP requests.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Fortinet FortiIsolator | >=2.4.3<=2.4.6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of FG-IR-24-397?
The severity of FG-IR-24-397 is critical due to its potential for OS command injection by privileged attackers.
How do I fix FG-IR-24-397?
To fix FG-IR-24-397, upgrade FortiIsolator to version 2.4.7 or later.
What versions of FortiIsolator are affected by FG-IR-24-397?
FortiIsolator versions 2.4.3 to 2.4.6 are affected by FG-IR-24-397.
Who can exploit the vulnerability FG-IR-24-397?
Only a privileged attacker with a super-admin profile and CLI access can exploit FG-IR-24-397.
What type of vulnerability is FG-IR-24-397?
FG-IR-24-397 is categorized as an OS Command Injection vulnerability (CWE-78).
- collector/fortiguard-psirt-latest
- source/FortiGuard
- alias/CVE-2024-54024
- agent/severity
- agent/title
- agent/references
- agent/source
- agent/weakness
- agent/last-modified-date
- agent/softwarecombine
- agent/type
- agent/description
- agent/first-publish-date
- agent/tags
- collector/fortiguard-psirt
- agent/software-canonical-lookup
- agent/event
- vendor/fortinet
- canonical/fortinet fortiisolator
- version/fortinet fortiisolator/2.4.3
- version/fortinet fortiisolator/2.4.6