CanSSOC advisory: Vulnerability – FortiManager vulnerability under active exploitation
Published: October 28, 2024
TLP: CLEAR
CanSSOC Threat Assessment [*]: HIGH
Topics on this page:
Summary:
On October 23rd, Fortinet published an advisory [1] related to a critical FortiManager API vulnerability, tracked as CVE-2024-47575 (CVSSv3: 9.8). The vulnerability was exploited in zero-day attacks to steal sensitive files containing configurations, IP addresses, and credentials for managed devices.
Fortinet notes that “a missing authentication for critical function vulnerability [CWE-306] in FortiManager fgfmd daemon may allow a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests.”
CISA has added this vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation [4].
There are reports that Fortinet apparently began informing customers privately about the issue a few days ago [5].
Additionally, security researcher, Kevin Beaumont, has been warning about the issue, which he dubbed FortiJump, for days now [6].
Details:
- CVE: CVE-2024-47575
- CVSSv3: 9.8
- Impacted version(s): See Fortinet advisory [1] for a complete list of impacted versions.
- Fixed version(s): See Fortinet advisory [1] for a complete list of the fixed versions.
- Active exploitation: There are reports of active exploitation in the wild.
Recommendations:
Fortinet recommends that users of FortiManager 7.6 and below update their software immediately. FortiGate has also issued a list of indications of compromise (IoC) that admins should search for, including four IP addresses known to be malicious [7]: 45.32.41.202, 104.238.141.143, 158.247.199.37, and 45.32.63.2. Note that the disclosed IoCs may not appear in all cases.
References:
- Missing authentication in fgfmsd | Fortinet
- Fortinet warns of new critical FortiManager flaw used in zero-day attacks | Beeping Computer
- FortiManager critical vulnerability under active attack | The Register
- CISA Adds One Known Exploited Vulnerability to Catalog | America’s Cyber Defense Agency
- Why was FortiManager 7.2.8 released? | Reddit
- Kevin Beaumont @GossiTheDog@cyberplace.social
- MISP Threat Sharing
Support:
As always, please contact security.response@utoronto.ca if you have any questions or concerns or feel that a device has been compromised by this vulnerability.
Footnotes:
[*] The CanSSOC Threat Assessment has the following four scores: LOW, MEDIUM, HIGH, SEVERE.
