CVE-2024-52963: 
FortiOS vulnerability analysis and mitigation

An out-of-bounds write vulnerability (CVE-2024-52963) was discovered in Fortinet FortiOS IPSEC daemon affecting versions 7.6.0, 7.4.0 through 7.4.7, 7.2.0 through 7.2.10, and all versions of 7.0 and 6.4. The vulnerability was internally discovered and reported by Gwendal Guégniaud of Fortinet Product Security Team on January 14, 2025 (Fortinet Advisory, NVD).

The vulnerability is classified as an out-of-bounds write (CWE-787) in the IPSEC daemon of FortiOS. It has been assigned a CVSSv3.1 score of 3.5 (Low) by Fortinet and 5.9 (Medium) by NIST NVD, with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H. The vulnerability can only be triggered under certain conditions that are outside the control of the attacker (Fortinet Advisory, NVD).

If successfully exploited, this vulnerability allows an unauthenticated attacker to trigger a denial of service condition in the affected FortiOS systems (Fortinet Advisory).

Fortinet has released patches to address this vulnerability. Users are advised to upgrade to the following versions: FortiOS 7.6.1 or above for 7.6 branch, FortiOS 7.4.8 or above for 7.4 branch, FortiOS 7.2.11 or above for 7.2 branch. Users of FortiOS 7.0 and 6.4 should migrate to a fixed release. Fortinet recommends following the upgrade path using their upgrade tool at https://docs.fortinet.com/upgrade-tool (Fortinet Advisory).