SQL Injection Vulnerability in Fortinet FortiAnalyzer and FortiManager
CVE-2024-33501

4MEDIUM

Key Information:

Vendor: Fortinet
Status: Fortimanager
Vendor: CVE Published:; 11 March 2025

What is CVE-2024-33501?

A vulnerability in Fortinet's FortiAnalyzer, FortiManager, and FortiAnalyzer-BigData products arises from improper neutralization of special elements used in SQL commands. This security flaw enables a privileged attacker to execute unauthorized code or commands through specially crafted command-line interface (CLI) requests, potentially compromising the integrity of the affected systems. Users of versions 7.4.0 to 7.4.2 and earlier versions of FortiAnalyzer and FortiManager, as well as earlier versions of FortiAnalyzer-BigData, should take immediate measures to assess their exposure and apply the necessary patches.

Affected Version(s)

FortiManager 7.4.0 <= 7.4.2

FortiManager 7.2.0 <= 7.2.5

FortiManager 7.0.0 <= 7.0.13

References

https://fortiguard.fortinet.com/psirt/FG-IR-24-130

CVSS V3.1

Score:

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 11, 2025
Vulnerability Reserved
Apr 23, 2024