Advisory October 24, 2024

Fortinet FortiManager Critical Vulnerability with CVE-2024-47575

The Obrela Threat Intelligence Team

A vulnerability has been identified in Fortinet FortiManager installations. The vulnerability could allow for unauthenticated Remote Code Execution (RCE). The vulnerability (CVE-2024-47575) has a Critical CVSSv3.1 score of 9.8 out of 10.

Description:

The vulnerability lies in the FortiGate to FortiManager Protocol (FGFM) and has been dubbed FortiJump by security researchers. Due to a missing authentication vulnerability, a remote unauthenticated attacker is able to execute arbitrary code or commands on the FortiManager platform via specially crafted requests. The only requirement for exploitation is for an attacker to possess a valid Fortinet device certificate, which can be acquired from any enrolled Fortinet device.

Publicly disclosed by Fortinet on October 23, limited customer disclosure and patching was initiated about a week earlier. While recent, there are already reports of in – the – wild exploitation. Prompt patching of devices with the functionality is very strongly encouraged. Fortinet has shared a precise list of vulnerable versions, as well as a number of alternative workarounds besides full patching, found below.

Affected Versions:

  • FortiManager versions 6.0, 7.4.0 – 7.4.4, 7.2.0 – 7.2.7, 7.0.0 – 7.0.12, 6.4.0 – 6.4.14, 6.2.0 – 6.2.12.
  • FortiManager Cloud versions 4.1 – 7.4.4, 7.2.1 – 7.2.7, 7.0.1 – 7.0.12, 6.4.

Recommendations:

  • Refer to the Fortinet PSIRT advisory for precise version information and remediation guidance at https://www.fortiguard.com/psirt/FG-IR-24-423.
  • If current systems are vulnerable, review system logs for suspicious activity.
  • Ensure automatic updates are enabled for future instances.

References: