Fortinet Warns of Critical Vulnerability in FortiManager Under Active Exploitation

Fortinet has disclosed a critical security vulnerability affecting its FortiManager products, identified as CVE-2024-47575, which carries a severe CVSS score of 9.8. Known as FortiJump, this flaw is associated with the FortiGate to FortiManager (FGFM) protocol and allows remote unauthenticated attackers to execute arbitrary code through specifically crafted requests. The vulnerability affects multiple versions of FortiManager, including 7.x and 6.x, as well as certain legacy FortiAnalyzer models, provided they have the fgfm service enabled and configured accordingly.

To mitigate the risks connected to CVE-2024-47575, Fortinet has outlined specific workarounds tailored to different FortiManager version groups. For versions 7.0.12 and higher, the recommendation is to prevent unknown devices from attempting to register. For those on versions 7.2.0 or above, creating local-in policies to allow-list specific FortiGate IP addresses is suggested. Lastly, users operating on versions 7.2.2 or above are advised to utilize a custom certificate.

Despite the exploitation of this vulnerability, successful attacks reportedly hinge on the attacker possessing a valid Fortinet device certificate. Attackers can acquire such certificates from existing Fortinet devices and potentially reuse them for malicious purposes. Reports indicate that current exploits have involved scripting to automate the exfiltration of files containing sensitive information—such as IP addresses, credentials, and configurations—stored within FortiManager systems. Fortunately, there is no indication that this vulnerability has been exploited to install malware or backdoors, nor have there been any noticeable changes to databases or connections.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recognized the importance of addressing this vulnerability by including CVE-2024-47575 in its Known Exploited Vulnerabilities catalog, thereby ordering federal agencies to implement the necessary fixes by November 13, 2024. Fortinet has expressed its commitment to promptly communicating essential information and resources to customers for enhancing their security postures in light of this vulnerability.

Further scrutiny reveals that a specific threat group, referred to as UNC5820, has been linked to the exploitation of FortiManager systems utilizing CVE-2024-47575. Research from Mandiant has identified at least 50 potentially compromised devices across various sectors, with indications of exploitation dating back to June 27, 2024. This group has reportedly exfiltrated configuration data from the compromised FortiManager devices, which includes sensitive information that could facilitate further attacks on managed systems, although there is no current evidence of lateral movement using this data.

In addition, an alarming number of FortiManager admin portals—over 4,000—have been found to be exposed online, with nearly 30% located in the United States. A significant portion of these instances are linked to Microsoft Cloud, raising concerns about their vulnerability to exploitation via CVE-2024-47575. However, the extent of susceptibility among these exposed instances remains uncertain due to a lack of detailed version information.

Experts in the field, such as Tim Peck from Securonix, have underscored the immense risk posed by the vulnerability, emphasizing its attractiveness to threat actors targeting large-scale enterprises. The possible ramifications of this flaw include unauthorized access, data theft, and disruptions to critical operations. Peck urges impacted organizations to promptly implement the patch released on October 24 and to thoroughly review access logs for any unusual activities, besides ensuring a robust incident response plan is in place.

Fortinet’s proactive measures after identifying the vulnerability, including timely communication and the release of public advisories, align with best practices in responsible disclosure. The company’s ongoing collaboration with international authorities and industry threat organizations underscores its commitment to addressing the challenge posed by this vulnerability and safeguarding customer interests.

As the situation develops, continuous monitoring of the advisory page for updates and implementing the suggested workarounds and fixes will be crucial for users of FortiManager products to protect against potential exploitation of CVE-2024-47575.