#VU107378 OS Command Injection in FortiVoice - CVE-2024-40587
Published: April 11, 2025
Vulnerability identifier: #VU107378
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-40587
CWE-ID: CWE-78
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
FortiVoice
FortiVoice
Software vendor:
Fortinet, Inc
Fortinet, Inc
Description
The vulnerability allows a local privileged user to execute arbitrary code.
The vulnerability exists due to improper neutralization of special elements used in an os command ('os command injection') in CLI. An authenticated privileged attacker can execute unauthorized code or commands via crafted CLI requests.
Remediation
Install update from vendor's website.