Fortinet Confirms Critical Vulnerability in FortiManager Under Active Exploitation
Fortinet has identified a significant security vulnerability affecting its FortiManager product, designated as CVE-2024-47575, with a high CVSS score of 9.8. This vulnerability, also referred to as FortiJump, relates to the FGFM protocol utilized for communication between FortiGate devices and FortiManager. The flaw has been reported to be actively exploited in the wild, raising urgent concerns among users and security professionals alike.
The vulnerability allows remote, unauthenticated attackers to execute arbitrary code or commands through specially crafted requests directed at the fgfmd daemon of FortiManager. Fortinet’s advisory clearly states that the issue stems from a lack of proper authentication measures for critical functions, making it a prime target for cybercriminals. Affected versions include FortiManager 7.x, 6.x, and specific older models of FortiAnalyzer which have the fgfm service enabled.
In addition to addressing the immediate threat, Fortinet has provided several mitigation strategies tailored to the varying versions of FortiManager in use. Organizations operating on versions 7.0.12 or higher are advised to restrict unknown devices from attempting registration, while those using newer versions should implement specific access policies and utilize custom certificates to bolster their security protocols.
Recent assessment by runZero indicates that exploitation of this vulnerability necessitates possession of a valid Fortinet device certificate, which can potentially be retrieved from already compromised devices. The nature of the targeted information is alarming, as attackers reportedly automate the exfiltration of sensitive data, including IP addresses, credentials, and device configurations from compromised FortiManager systems. However, there is currently no evidence suggesting that this vulnerability has been exploited to deploy malware or create backdoors in the affected systems.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has subsequently added this vulnerability to its Known Exploited Vulnerabilities catalog, mandating that federal agencies implement the necessary fixes by November 13, 2024. Fortinet asserts that it has communicated essential information promptly to its customers, equipping them with the resources to enhance their security posture prior to public disclosure.
According to Mandiant, a cybersecurity firm under Google’s umbrella, the ongoing exploitation of FortiManager devices is attributed to a newly identified threat group, known as UNC5820. An investigation revealed that at least fifty FortiManager devices across diversified industries had been compromised since late June 2024. Configuration data exfiltrated from these devices includes sensitive user information and passwords, which could facilitate further incursions into the secured environments these devices protect.
The attack has predominantly targeted organizations based in the United States, putting large enterprises at significant risk due to the potential for remote code execution. Reports from Censys further emphasize the seriousness of this vulnerability, revealing over 4,000 exposed FortiManager admin portals online, with a considerable percentage of these instances located within the U.S.
These findings underline a worrisome trend of escalating cyber threats exploiting existing vulnerabilities. The tactics likely employed in this attack align with several techniques outlined in the MITRE ATT&CK framework, including initial access through unauthorized exploitation, potential privilege escalation as attackers move laterally within networks, and persistent access to sensitive data for future exploitation. As the cybersecurity landscape evolves, organizations must remain vigilant and responsive to such threats, continuously reinforcing their defenses against emerging vulnerabilities.
