CVE-2024-55594 - Vulnerability Details - OpenCVE

An improper handling of syntactically invalid structure in Fortinet FortiWeb at least vesrions 7.4.0 through 7.4.6 and 7.2.0 through 7.2.10 and 7.0.0 through 7.0.10 allows attacker to execute unauthorized code or commands via HTTP/S crafted requests.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Fortinet	Fortiweb

Configuration 1 [-]

cpe:2.3:a:fortinet:fortiweb:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://fortiguard.fortinet.com/psirt/FG-IR-23-115

History

Thu, 24 Jul 2025 20:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:fortinet:fortiweb::::::::

Mon, 14 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00071}`	epss `{'score': 0.00098}`

Fri, 14 Mar 2025 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 14 Mar 2025 16:30:00 +0000

Type	Values Removed	Values Added
Description		An improper handling of syntactically invalid structure in Fortinet FortiWeb at least vesrions 7.4.0 through 7.4.6 and 7.2.0 through 7.2.10 and 7.0.0 through 7.0.10 allows attacker to execute unauthorized code or commands via HTTP/S crafted requests.
Weaknesses		CWE-228
References		https://fortiguard.fortinet.com/psirt/FG-IR-23-115
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:F/RL:X/RC:X'}`

MITRE

Status: PUBLISHED

Assigner: fortinet

Published: 2025-03-14T16:25:33.078Z

Updated: 2025-03-14T16:58:29.982Z

Reserved: 2024-12-09T11:19:49.471Z

Link: CVE-2024-55594

Vulnrichment

Updated: 2025-03-14T16:58:19.241Z

NVD

Status : Analyzed

Published: 2025-03-14T17:15:48.653

Modified: 2025-07-24T20:14:38.823

Link: CVE-2024-55594

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-55594", "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "state": "PUBLISHED", "assignerShortName": "fortinet", "dateReserved": "2024-12-09T11:19:49.471Z", "datePublished": "2025-03-14T16:25:33.078Z", "dateUpdated": "2025-03-14T16:58:29.982Z"}, "containers": {"cna": {"affected": [{"vendor": "Fortinet", "product": "FortiWeb", "cpes": [], "defaultStatus": "unaffected", "versions": [{"versionType": "semver", "version": "7.4.0", "lessThanOrEqual": "7.4.6", "status": "affected"}, {"versionType": "semver", "version": "7.2.0", "lessThanOrEqual": "7.2.10", "status": "affected"}, {"versionType": "semver", "version": "7.0.0", "lessThanOrEqual": "7.0.10", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "An improper handling of syntactically invalid structure in Fortinet FortiWeb at least vesrions 7.4.0 through 7.4.6 and 7.2.0 through 7.2.10 and 7.0.0 through 7.0.10 allows attacker to execute unauthorized code or commands via HTTP/S crafted requests."}], "providerMetadata": {"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "shortName": "fortinet", "dateUpdated": "2025-03-14T16:25:33.078Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-228", "description": "Execute unauthorized code or commands", "type": "CWE"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:F/RL:X/RC:X"}}], "solutions": [{"lang": "en", "value": "Please upgrade to FortiWeb version 7.6.0 or above \nPlease upgrade to FortiWeb version 7.4.7 or above"}], "references": [{"name": "https://fortiguard.fortinet.com/psirt/FG-IR-23-115", "url": "https://fortiguard.fortinet.com/psirt/FG-IR-23-115"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-14T16:57:33.359876Z", "id": "CVE-2024-55594", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-14T16:58:29.982Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-55594", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-14T16:57:33.359876Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-14T16:58:19.241Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:F/RL:X/RC:X", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"cpes": [], "vendor": "Fortinet", "product": "FortiWeb", "versions": [{"status": "affected", "version": "7.4.0", "versionType": "semver", "lessThanOrEqual": "7.4.6"}, {"status": "affected", "version": "7.2.0", "versionType": "semver", "lessThanOrEqual": "7.2.10"}, {"status": "affected", "version": "7.0.0", "versionType": "semver", "lessThanOrEqual": "7.0.10"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Please upgrade to FortiWeb version 7.6.0 or above \nPlease upgrade to FortiWeb version 7.4.7 or above"}], "references": [{"url": "https://fortiguard.fortinet.com/psirt/FG-IR-23-115", "name": "https://fortiguard.fortinet.com/psirt/FG-IR-23-115"}], "descriptions": [{"lang": "en", "value": "An improper handling of syntactically invalid structure in Fortinet FortiWeb at least vesrions 7.4.0 through 7.4.6 and 7.2.0 through 7.2.10 and 7.0.0 through 7.0.10 allows attacker to execute unauthorized code or commands via HTTP/S crafted requests."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-228", "description": "Execute unauthorized code or commands"}]}], "providerMetadata": {"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "shortName": "fortinet", "dateUpdated": "2025-03-14T16:25:33.078Z"}}}, "cveMetadata": {"cveId": "CVE-2024-55594", "state": "PUBLISHED", "dateUpdated": "2025-03-14T16:58:29.982Z", "dateReserved": "2024-12-09T11:19:49.471Z", "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "datePublished": "2025-03-14T16:25:33.078Z", "assignerShortName": "fortinet"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fortinet:fortiweb:*:*:*:*:*:*:*:*", "matchCriteriaId": "FE224E36-1AE2-4F66-9B2F-8D1AD7F8A54A", "versionEndExcluding": "7.4.7", "versionStartIncluding": "7.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An improper handling of syntactically invalid structure in Fortinet FortiWeb at least vesrions 7.4.0 through 7.4.6 and 7.2.0 through 7.2.10 and 7.0.0 through 7.0.10 allows attacker to execute unauthorized code or commands via HTTP/S crafted requests."}, {"lang": "es", "value": "Una gesti\u00f3n inadecuada de una estructura sint\u00e1cticamente no v\u00e1lida en Fortinet FortiWeb al menos en las versiones 7.4.0 a 7.4.6 y 7.2.0 a 7.2.10 y 7.0.0 a 7.0.10 permite a un atacante ejecutar c\u00f3digo o comandos no autorizados a trav\u00e9s de solicitudes HTTP/S manipuladas."}], "id": "CVE-2024-55594", "lastModified": "2025-07-24T20:14:38.823", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.4, "source": "psirt@fortinet.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-03-14T17:15:48.653", "references": [{"source": "psirt@fortinet.com", "tags": ["Vendor Advisory"], "url": "https://fortiguard.fortinet.com/psirt/FG-IR-23-115"}], "sourceIdentifier": "psirt@fortinet.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-228"}], "source": "psirt@fortinet.com", "type": "Primary"}]}