A critical bug in FortiDDoS-F leads to the execution of unauthorized commands

Redazione RHC : 9 September 2025 20:41

A security flaw has been discovered in Fortinet’s FortiDDoS-F product line that could allow a privileged attacker to execute prohibited commands. The vulnerability, classified as CVE-2024-45325, involves an operating system command injection issue located in the product’s command line interface (CLI).

Despite the elevated privilege requirements, the potential impact on confidentiality, integrity, and availability is high. The issue was discovered internally and reported by Théo Leleu of Fortinet’s Product Security team.

The vulnerability, identified as CWE-78, results from an improper neutralization of special elements used in an operating system command. An attacker with elevated privileges and local access to the system could exploit this weakness by sending specially crafted requests to the CLI.

Fortinet has confirmed that several versions of FortiDDoS-F are affected by this vulnerability. Advisory FG-IR-24-344, published on September 9, 2025, describes the specific releases and recommended actions for administrators.

A successful exploit would allow the attacker to execute arbitrary code or commands with the application’s permissions, potentially leading to system compromise. The vulnerability has been assigned a CVSSv3 score of 6.5, classifying it as medium severity.

Administrators using vulnerable versions are strongly advised to apply the recommended updates or migrate to a patched version to prevent potential exploitation.

Organizations using FortiDDoS-F 7.0 should immediately upgrade to version 7.0.3, while those using older branches (6.1 through 6.6) should plan to migrate to a secure version.

Redazione
The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.

Lista degli articoli