CVE-2024-45326

4.3 MEDIUM

📋 TL;DR

An authenticated attacker with no privileges can perform unauthorized operations on FortiDeceptor central management appliances by sending crafted requests. This affects all versions of FortiDeceptor 5.0 through 5.3 and version 6.0.0. The vulnerability allows privilege escalation from low-privilege authenticated users.

💻 Affected Systems

Products:
  • Fortinet FortiDeceptor
Versions: 5.0.x, 5.1.x, 5.2.x, 5.3.x, 6.0.0
Operating Systems: FortiOS-based appliance
Default Config Vulnerable: ⚠️ Yes
Notes: All affected versions are vulnerable in default configurations. Requires authenticated access to the management interface.

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could gain administrative control over the FortiDeceptor management system, potentially disabling deception defenses, exfiltrating sensitive configuration data, or using the compromised system as a foothold for lateral movement.

🟠

Likely Case

An authenticated low-privilege user could modify deception configurations, disable monitoring capabilities, or access sensitive system information they shouldn't have permission to view.

🟢

If Mitigated

With proper network segmentation and access controls, the impact would be limited to the FortiDeceptor appliance itself without allowing lateral movement to other systems.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access but no special privileges. Crafted HTTP requests to the management interface can bypass access controls.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: FortiDeceptor 6.0.1 or later, 5.3.4 or later, 5.2.6 or later, 5.1.7 or later, 5.0.9 or later

Vendor Advisory: https://fortiguard.fortinet.com/psirt/FG-IR-24-285

Restart Required: Yes

Instructions:

1. Download the appropriate firmware update from the Fortinet support portal. 2. Backup current configuration. 3. Apply firmware update via web GUI or CLI. 4. Reboot the appliance. 5. Verify the update was successful.

🔧 Temporary Workarounds

Restrict Management Access

all

Limit access to FortiDeceptor management interface to only trusted administrative networks and users.

Implement Network Segmentation

all

Isolate FortiDeceptor management interface from general user networks and implement strict firewall rules.

🧯 If You Can't Patch

  • Implement strict access controls to limit which users can authenticate to the FortiDeceptor management interface
  • Monitor authentication logs and management interface access for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check FortiDeceptor version via web GUI (System > Dashboard) or CLI (get system status). If version is 6.0.0, 5.3.x, 5.2.x, 5.1.x, or 5.0.x, the system is vulnerable.

Check Version:

get system status | grep Version

Verify Fix Applied:

After patching, verify the version is 6.0.1+, 5.3.4+, 5.2.6+, 5.1.7+, or 5.0.9+ using the same methods.

📡 Detection & Monitoring

Log Indicators:

  • Unusual management operations from low-privilege user accounts
  • Multiple failed privilege escalation attempts followed by successful administrative operations
  • Configuration changes from non-admin users

Network Indicators:

  • HTTP POST/PUT requests to management API endpoints from unexpected source IPs
  • Unusual traffic patterns to FortiDeceptor management interface

SIEM Query:

source="fortideceptor" AND (event_type="config_change" OR event_type="admin_operation") AND user_role!="admin"

📊 Metadata

CVE ID: CVE-2024-45326
CVSS v3 Score: 4.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CWE: CWE-284
Published: January 14, 2025
Last Updated: February 4, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

📤 Share This