Headline
Fortinet Warns of Critical Vulnerability in FortiManager Under Active Exploitation
Fortinet has confirmed details of a critical security flaw impacting FortiManager that has come under active exploitation in the wild. Tracked as CVE-2024-47575 (CVSS score: 9.8), the vulnerability is also known as FortiJump and is rooted in the FortiGate to FortiManager (FGFM) protocol. "A missing authentication for critical function vulnerability [CWE-306] in FortiManager fgfmd daemon may
Vulnerability / Network Security
Fortinet has confirmed details of a critical security flaw impacting FortiManager that has come under active exploitation in the wild.
Tracked as CVE-2024-47575 (CVSS score: 9.8), the vulnerability is also known as FortiJump and is rooted in the FortiGate to FortiManager (FGFM) protocol.
“A missing authentication for critical function vulnerability [CWE-306] in FortiManager fgfmd daemon may allow a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests,” the company said in a Wednesday advisory.
The shortcoming impacts FortiManager versions 7.x, 6.x, FortiManager Cloud 7.x, and 6.x. It also affects old FortiAnalyzer models 1000E, 1000F, 2000E, 3000E, 3000F, 3000G, 3500E, 3500F, 3500G, 3700F, 3700G, and 3900E that have at least one interface with fgfm service enabled and the below configuration on -
config system global set fmg-status enable end
Fortinet has also provided three workarounds for the flaw depending on the current version of FortiManager installed -
- FortiManager versions 7.0.12 or above, 7.2.5 or above, 7.4.3 or above: Prevent unknown devices to attempt to register
- FortiManager versions 7.2.0 and above: Add local-in policies to allow-list the IP addresses of FortiGates that are allowed to connect
- FortiManager versions 7.2.2 and above, 7.4.0 and above, 7.6.0 and above: Use a custom certificate
According to runZero, a successful exploitation requires the attackers to be in possession of a valid Fortinet device certificate, although it noted that such certificates could be obtained from an existing Fortinet device and reused.
“The identified actions of this attack in the wild have been to automate via a script the exfiltration of various files from the FortiManager which contained the IPs, credentials and configurations of the managed devices,” the company said.
It, however, emphasized that the vulnerability has been not weaponized to deploy malware or backdoors on compromised FortiManager systems, nor is there any evidence of any modified databases or connections.
The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add the defect to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the fixes by November 13, 2024.
Fortinet also shared the below statement with The Hacker News -
After identifying this vulnerability (CVE-2024-47575), Fortinet promptly communicated critical information and resources to customers. This is in line with our processes and best practices for responsible disclosure to enable customers to strengthen their security posture prior to an advisory being publicly released to a broader audience, including threat actors. We also have published a corresponding public advisory (FG-IR-24-423) reiterating mitigation guidance, including a workaround and patch updates. We urge customers to follow the guidance provided to implement the workarounds and fixes and to continue tracking our advisory page for updates. We continue to coordinate with the appropriate international government agencies and industry threat organizations as part of our ongoing response.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Related news
This Metasploit module exploits a missing authentication vulnerability affecting FortiManager and FortiManager Cloud devices to achieve unauthenticated RCE with root privileges. The vulnerable FortiManager versions are 7.6.0, 7.4.0 through 7.4.4, 7.2.0 through 7.2.7, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14, and 6.2.0 through 6.2.12. The vulnerable FortiManager Cloud versions are 7.4.1 through 7.4.4, 7.2.1 through 7.2.7, 7.0.1 through 7.0.12, and 6.4 (all versions).
About the Remote Code Execution – FortiManager “FortiJump” (CVE-2024-47575) vulnerability. FortiManager is a centralized solution for configuring, enforcing policies, updating, and monitoring Fortinet network devices. 🔻 The vulnerability was released on October 23. A missing authentication for critical function in the FortiManager fgfmd (FortiGate-to-FortiManager) daemon allows remote attacker to execute arbitrary code or commands via […]
About Remote Code Execution – FortiManager “FortiJump” (CVE-2024-47575) vulnerability. FortiManager is a centralized solution for configuring, enforcing policies, updating, and monitoring Fortinet network devices. 🔻 The vulnerability was released on October 23. A missing authentication for critical function in the FortiManager fgfmd (FortiGate-to-FortiManager) daemon allows remote attacker to execute arbitrary code or commands via specially […]
Cybersecurity news can sometimes feel like a never-ending horror movie, can't it? Just when you think the villains are locked up, a new threat emerges from the shadows. This week is no exception, with tales of exploited flaws, international espionage, and AI shenanigans that could make your head spin. But don't worry, we're here to break it all down in plain English and arm you with the
Fortinet and Mandiant investigated the mass exploitation of FortiManager devices via CVE-2024-47575, impacting 50+ systems across industries. Threat…
An attacker compromised one of Fortinet's most sensitive products and mopped up all kinds of reconnaissance data helpful for future mass device attacks.