Fortinet has confirmed a critical security flaw in FortiManager that is actively being exploited in the wild. The vulnerability, tracked as CVE-2024-47575, has a CVSS score of 9.8 and is also referred to as FortiJump. It stems from a weakness in the FortiGate to FortiManager (FGFM) protocol.
In an advisory issued on Wednesday, Fortinet explained, "A missing authentication for critical function vulnerability [CWE-306] in FortiManager fgfmd daemon may allow a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests."
The flaw affects FortiManager versions 7.x, 6.x, FortiManager Cloud 7.x, 6.x, and older FortiAnalyzer models such as 1000E, 1000F, 2000E, 3000E, 3000F, 3000G, 3500E, 3500F, 3500G, 3700F, 3700G, and 3900E, provided they have at least one interface with fgfm service enabled and the following configuration:
- FortiManager versions 7.0.12 or above, 7.2.5 or above, 7.4.3 or above: Prevent unknown devices from attempting to register.
- FortiManager versions 7.2.0 and above: Add local-in policies to allow-list the IP addresses of FortiGates allowed to connect.
- FortiManager versions 7.2.2 and above, 7.4.0 and above, 7.6.0 and above: Use a custom certificate.
RunZero noted that successful exploitation requires attackers to possess a valid Fortinet device certificate, which could potentially be obtained from an existing Fortinet device and reused.
"The identified actions of this attack in the wild have been to automate via a script the exfiltration of various files from the FortiManager, which contained the IPs, credentials, and configurations of the managed devices," said Fortinet. However, the company emphasized that the vulnerability has not been weaponized to deploy malware or backdoors on compromised systems, nor is there any evidence of modified databases or connections.
The severity of the flaw prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add CVE-2024-47575 to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the patches by November 13, 2024.
Fortinet shared the following statement with The Hacker News:
"After identifying this vulnerability (CVE-2024-47575), Fortinet promptly communicated critical information and resources to customers. This is in line with our processes and best practices for responsible disclosure to enable customers to strengthen their security posture prior to an advisory being publicly released to a broader audience, including threat actors. We also have published a corresponding public advisory (FG-IR-24-423) reiterating mitigation guidance, including a workaround and patch updates. We urge customers to follow the guidance provided to implement the workarounds and fixes and to continue tracking our advisory page for updates. We continue to coordinate with the appropriate international government agencies and industry threat organizations as part of our ongoing response."
Resource: The Hacker News
