CVE-2024-46668: 
FortiOS vulnerability analysis and mitigation

CVE-2024-46668 is a resource allocation vulnerability affecting FortiOS, discovered in January 2025. The vulnerability exists in some FortiOS API endpoints where an allocation of resources without limits or throttling [CWE-770] could allow an unauthenticated remote user to consume all system memory through multiple large file uploads. The affected versions include FortiOS 7.4.0-7.4.4, 7.2.0-7.2.8, 7.0.0-7.0.15, and 6.4.0-6.4.15 (Fortinet Advisory, NVD).

The vulnerability is classified with a CVSS v3.1 Base Score of 7.5 (High severity) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The issue specifically relates to the GUI component of FortiOS, where the lack of proper resource allocation limits in API endpoints makes the system susceptible to memory exhaustion attacks (Fortinet Advisory).

The primary impact of this vulnerability is denial of service (DoS). When successfully exploited, an attacker can cause the system to consume all available memory resources, potentially leading to system unavailability (Fortinet Advisory).

Fortinet has released patches to address this vulnerability. Users are advised to upgrade to the following versions: FortiOS 7.4.5 or above for 7.4 branch, 7.2.9 or above for 7.2 branch, 7.0.16 or above for 7.0 branch, and the upcoming 6.4.16 or above for 6.4 branch. Users should follow the recommended upgrade path using Fortinet's upgrade tool (Fortinet Advisory).

The vulnerability was discovered and reported by Ben Barnea from Akamai under responsible disclosure practices. This finding was part of a broader security research effort that uncovered multiple vulnerabilities in Fortinet products (Hacker News).