CVE-2024-47570 is a vulnerability identified in Fortinet’s FortiSASE and other related products such as FortiOS, FortiProxy, FortiPAM, and FortiSRA. The issue arises from the insertion of sensitive information—specifically API tokens—into REST API log files when REST API logging is enabled, which is not enabled by default. This vulnerability is categorized under CWE-532, indicating exposure of sensitive information through logs. A read-only administrator, who normally has limited privileges, can exploit this by accessing the REST API logs and extracting API tokens belonging to other administrators. These tokens can then be used to escalate privileges or perform unauthorized actions within the system. The vulnerability affects multiple versions: FortiOS 7.0 through 7.4.3, FortiProxy 7.2.0 through 7.4.3, FortiPAM versions 1.0 through 1.4, and FortiSRA 1.4. The CVSS v3.1 base score is 6.3, reflecting medium severity, with attack vector being network-based but requiring high privileges (read-only admin) and no user interaction. The impact on confidentiality, integrity, and availability is high if exploited, as it could lead to unauthorized administrative access. No public exploits are known, and no patches are linked yet, but Fortinet has published the advisory. The vulnerability is significant because it exposes sensitive authentication tokens through logs, which are often overlooked as an attack surface.

If exploited, this vulnerability allows a read-only administrator to access API tokens of other administrators, potentially enabling privilege escalation and unauthorized administrative actions. This can compromise the confidentiality and integrity of the affected systems, allowing attackers to manipulate configurations, access sensitive data, or disrupt services. Given that Fortinet products are widely used in enterprise network security, the impact could extend to critical infrastructure, corporate networks, and managed security services. The vulnerability could facilitate lateral movement within networks and undermine trust in security controls. Although exploitation requires existing read-only admin access and REST API logging enabled, the exposure of API tokens significantly raises the risk profile. Organizations relying on Fortinet products for perimeter and internal security could face increased risk of insider threats or compromised administrative accounts if this vulnerability is not mitigated.

Organizations should immediately audit their Fortinet product deployments to determine if REST API logging is enabled, as this is a non-default configuration that triggers the vulnerability. If logging is enabled, consider disabling it until a patch is available or restrict access to log files strictly to trusted personnel. Fortinet customers should monitor for official patches or updates addressing CVE-2024-47570 and apply them promptly once released. Implement strict role-based access controls (RBAC) to limit read-only administrator privileges and monitor for unusual access patterns to REST API logs. Additionally, rotate API tokens and credentials regularly to reduce the window of exposure. Employ network segmentation and monitoring to detect potential misuse of administrative tokens. Finally, review logging policies to avoid storing sensitive information in logs or ensure logs are encrypted and access-controlled.