CVE-2024-35279: 
FortiOS vulnerability analysis and mitigation

A stack-based buffer overflow vulnerability (CVE-2024-35279) was discovered in Fortinet FortiOS CAPWAP control. The vulnerability was initially published on February 11, 2025, affecting FortiOS versions 7.2.4 through 7.2.8 and 7.4.0 through 7.4.4. This security flaw was internally discovered by Stephen J. Bevan of the FortiOS development team (Fortinet PSIRT).

The vulnerability is classified as a stack-based buffer overflow (CWE-121) in the FortiOS CAPWAP control component. It has been assigned a CVSSv3 score of 7.7, indicating high severity. The vulnerability specifically affects the fabric service when running on exposed interfaces and can be exploited through crafted UDP packets on port 5246 (Fortinet PSIRT).

If successfully exploited, this vulnerability allows a remote unauthenticated attacker to execute arbitrary code or commands on the affected system. However, exploitation requires the attacker to bypass FortiOS stack protections and depends on the fabric service running on an exposed interface (CVE Details).

Fortinet has released patches to address this vulnerability. Users should upgrade FortiOS 7.4.x to version 7.4.5 or above, and FortiOS 7.2.x to version 7.2.9 or above. Alternative workarounds include removing the fabric service from affected interfaces or blocking CAPWAP-CONTROL access to port 5246 through a local-in policy. Additionally, users can apply the virtual patch FG-VD-10006068.0day available in FMWP database update 24.054 (Fortinet PSIRT).