OS Command Injection in FortiVoice - CVE-2024-40587
Published: April 11, 2025
Vulnerability identifier: #VU107378
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-40587
CWE-ID: CWE-78
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Fortinet, Inc
Affected software:
FortiVoice
FortiVoice
Detailed vulnerability description
The vulnerability allows a local privileged user to execute arbitrary code.
The vulnerability exists due to improper neutralization of special elements used in an os command ('os command injection') in CLI. An authenticated privileged attacker can execute unauthorized code or commands via crafted CLI requests.
How to mitigate CVE-2024-40587
Install update from vendor's website.