Buffer overflow in administrative interface

Summary

A stack-based buffer overflow [CWE-121] vulnerability in FortiOS administrative interface may allow a privileged attacker to execute arbitrary code or commands via crafted HTTP or HTTPs requests.

Version Affected Solution
FortiOS 7.4 7.4.0 through 7.4.1 Upgrade to 7.4.2 or above
FortiOS 7.2 7.2.1 through 7.2.7 Upgrade to 7.2.8 or above
Follow the recommended upgrade path using our tool at: https://docs.fortinet.com/upgrade-tool

Virtual Patch named "FG-VD-54575.0day." is available in FMWP db update 24.011

Acknowledgement

Internally discovered and reported by Théo Leleu of Fortinet Product Security team.

Timeline

2024-05-14: Initial publication
2024-06-19: Fix affected versions
2025-01-15: Added IPS package info