October 31, 2024

Fortinet has updated their security advisory addressing the critical FortiManager vulnerability (CVE-2024-47575) to include additional workarounds and indicators of compromise (IOCs). A remote, unauthenticated cyber threat actor could exploit this vulnerability to gain access to sensitive files or take control of an affected system. At this time, all patches have been released. CISA reported the updates in a security alert yesterday.

It is strongly encouraged that users and administrators apply the necessary updates, hunt for any malicious activity, assess potential risk from service providers, and review the following articles for additional information:

• Fortinet Advisory (updated) | Fortinet
• Fortinet FortiManager Missing Authentication Vulnerability | CISA
• Investigating FortiManager Zero-Day Exploitation (CVE-2024-47575) | Mandiant (Google Cloud)

October 24, 2024

On October 23, 2024, Fortinet published an advisory on CVE-2024-47575, a critical zero-day vulnerability affecting Fortinet's FortiManager and FortiManager Cloud network management products. View Fortinet Advisory FG-IR-24-423 for impacted versions.

Note: Impacted Fortinet FortiManager customers may have already been notified, but some customers have complained that they never received any communications. System administrators are encouraged to see Fortinet Advisory FG-IR-24-423 and apply necessary patches and mitigations. Utilities that outsource technology support are highly encouraged to make sure your service providers are aware of and are addressing this issue accordingly.

Vulnerability Overview

• CVE-2024-47575 is a missing authentication vulnerability in the FortiGate to FortiManager (FGFM) daemon (fgfmsd) in FortiManager and FortiManager Cloud.
• Severity: Critical (CVSS v3 score of 9.8)
• Allows an unauthenticated remote attacker with a valid FortiGate certificate to register unauthorized devices in FortiManager
• Successful exploitation of CVE-2024-47575 could allow an attacker to:

• View and modify files, including configuration files.
• Obtain sensitive information.
• Manage other devices connected to FortiManager.

Other Notable Information

• According to results from Shodan, there are nearly 60,000 FortiManager devices that are internet-facing, including over 13,000 in the United States.
• As of October 23, 2024, no public proof-of-concept exploits have been reported for CVE-2024-47575
• This vulnerability has been dubbed “FortiJump” by threat researcher Kevin Beaumont.
• Mandiant is tracking exploitation by a new threat cluster identified as UNC8520. At this time, there is insufficient data to assess actor motivation or location.
• On October 23, 2024, CISA added CVE-2024-47575 to its Known Exploited Vulnerabilities Catalog

Additional References and Research

• Investigating FortiManager Zero-Day Exploitation (CVE-2024-47575) | Mandiant (Google Cloud)
• Fortinet FortiManager CVE-2024-47575 Exploited in Zero-Day Attacks | Rapid7
• CVE-2024-47575: Frequently Asked Questions About FortiJump Zero-Day in FortiManager and FortiManager Cloud | Tenable