CVE-2024-47570 is a vulnerability identified in Fortinet's FortiProxy, FortiOS, FortiPAM, and FortiSRA products that allows a read-only administrator to escalate privileges by retrieving API tokens of other administrators. The root cause is the insertion of sensitive information, specifically API tokens, into REST API logs when REST API logging is enabled—a configuration that is not enabled by default. This vulnerability is classified under CWE-532, which concerns the exposure of sensitive information through logs. The affected versions include FortiOS 7.0 through 7.4.3, FortiProxy 7.2.0 through 7.4.3, and all versions of FortiPAM and FortiSRA 1.4. Since the REST API logs contain sensitive tokens, a read-only administrator with access to these logs can extract API tokens belonging to other administrators, potentially allowing them to perform actions beyond their intended permissions. The vulnerability requires that REST API logging be enabled, which is a deliberate configuration change, and that the attacker already has read-only administrator access, which limits the ease of exploitation. The CVSS 3.1 base score is 6.3, indicating a medium severity with high impact on confidentiality, integrity, and availability if exploited. No public exploits have been reported to date, but the vulnerability poses a risk in environments where REST API logging is enabled and access controls are insufficiently restrictive.

For European organizations, this vulnerability could lead to unauthorized privilege escalation within Fortinet security infrastructure, potentially compromising network security management and monitoring. If an attacker gains access to API tokens of higher-privileged administrators, they could manipulate firewall rules, proxy configurations, or access sensitive data, undermining confidentiality, integrity, and availability of critical security functions. This risk is particularly significant for large enterprises, government agencies, and critical infrastructure operators that rely heavily on Fortinet products for perimeter defense and secure remote access. The requirement for REST API logging to be enabled reduces the immediate risk but also highlights the importance of secure logging practices. Organizations with multiple administrators and complex access hierarchies are at greater risk if access controls are not tightly enforced. Additionally, the exposure of API tokens could facilitate lateral movement within networks, increasing the potential impact of a breach.

1. Immediately review and disable REST API logging on Fortinet products unless it is strictly necessary for operational or compliance reasons. 2. If REST API logging must be enabled, restrict read-only administrator access to logs containing sensitive information using strict role-based access controls and network segmentation. 3. Rotate API tokens regularly and enforce strong authentication mechanisms for all administrator accounts to limit the window of opportunity for token misuse. 4. Monitor logs for unusual access patterns or attempts to retrieve API tokens. 5. Apply any available patches or updates from Fortinet as soon as they are released addressing this vulnerability. 6. Conduct a thorough audit of administrator privileges and remove unnecessary read-only admin accounts. 7. Educate security teams about the risks of sensitive data exposure in logs and implement secure logging best practices, including log encryption and access controls. 8. Consider deploying additional monitoring tools to detect anomalous API usage that could indicate exploitation attempts.