Recently, Fortinet publicly disclosed a critical zero-day vulnerability affecting its FortiManager product, identified as CVE-2024-47575. This vulnerability, which has been actively exploited in the wild, allows attackers to steal sensitive information such as configurations, IP addresses, and credentials from managed devices. This flaw has a critical severity rating of 9.8 out of 10, making it essential for organisations using FortiManager to act swiftly.
Private Warnings and Public Exposure
While Fortinet began privately notifying select customers about the vulnerability on October 13th, news of the flaw started to surface online through discussions on Reddit and posts by cyber security researcher Kevin Beaumont on Mastodon, who referred to the vulnerability as "FortiJump."
Some organisations reported being breached weeks before the official notification was sent. A now-deleted Reddit comment revealed: "We got breached on this one weeks before it hit 'advance notifications' - zero-day I guess."
The FortiManager Vulnerability Explained
The vulnerability is caused by a missing authentication check in the FortiManager FGFM daemon API. This allows unauthorised remote attackers to execute arbitrary code or commands via specially crafted requests. To exploit this flaw, attackers first need a valid certificate from any compromised Fortinet device, such as a FortiManager VM.
Once attackers gain access to a vulnerable FortiManager server, they can take control of the server and its connected FortiGate devices, potentially compromising networks on a larger scale. Managed Service Providers (MSPs) are especially at risk, as attackers can move laterally across managed networks.
Fortinet has confirmed that the vulnerability affects a wide range of FortiManager versions, including versions 7.6, 7.4, 7.2, 7.0, and older cloud-based releases. Patches for versions 7.2.8 and 7.4.5 have already been released, and additional fixes are expected in the coming days.
Exploitation Techniques and Data Theft
Threat actors can use a valid certificate to connect rogue FortiGate devices to exposed FortiManager servers. Once connected, attackers can bypass further authentication requirements in the FGFM API, allowing them to issue commands, steal sensitive configuration data, and gain control over managed devices. This stolen information includes IP addresses, credentials, and device configurations, potentially opening the door to broader network attacks.
According to Mandiant, a threat actor tracked as UNC5820 has been exploiting this vulnerability since June 2024, affecting over 50 FortiManager servers. The attackers targeted the servers to steal configuration data, which they could use to further compromise connected Fortinet devices and networks.
Indicators of Compromise (IOCs) and Attack Patterns
Fortinet has shared a list of Indicators of Compromise (IOCs) that administrators should watch for. In several attacks, rogue FortiGate devices were added to FortiManager servers under the name "localhost." Logs from affected servers show unauthorised commands used to add and modify unregistered devices.
Additionally, several IP addresses associated with the attacks have been traced to the cloud hosting provider Vultr, including:
• 45.32.41.202
• 104.238.141.143
• 158.247.199.37
• 45.32.63.2
Administrators should remain alert for these signs of compromise in their FortiManager systems.
How to Mitigate the FortiManager Vulnerability
Fortinet strongly advises organisations to apply the necessary patches as soon as possible. For those unable to do so immediately, there are several steps that can help mitigate the risk of exploitation:
• Block Unauthorised Devices: Use the command set fgfm-deny-unknown enable to prevent unregistered devices from connecting to FortiManager.
• Use Custom SSL Certificates: Implement custom certificates to authenticate FortiGate devices connecting to FortiManager.
• Restrict IP Access: Create an IP whitelist to limit which devices are permitted to connect to FortiManager, reducing the attack surface.
These mitigations provide a layer of protection until full patches can be applied.
Frustration Among Fortinet Customers
Although Fortinet took steps to inform its customers privately, some users expressed dissatisfaction with the way the vulnerability was communicated. Many FortiManager users reported that they only learned of the flaw through leaked information on forums or social media, raising concerns about transparency.
This is not the first time Fortinet has been criticised for its disclosure practices. In December 2022, a critical vulnerability in FortiOS SSL-VPN was quietly patched without public acknowledgement that it was actively being exploited. Similarly, in June 2023, Fortinet patched another zero-day vulnerability in FortiGate SSL-VPN, only disclosing its active exploitation four days after issuing a fix.
Conclusion: Patch Now and Monitor for Threat Activity
The CVE-2024-47575 vulnerability in FortiManager serves as a stark reminder of the importance of proactive security measures and transparent communication. Organisations using FortiManager should prioritise patching affected systems or implementing the recommended mitigations to avoid becoming a victim of this actively exploited flaw.
Fortinet continues to work with international agencies and threat intelligence organisations to track and respond to this vulnerability. Security teams should monitor Fortinet’s advisory page for updates and review Mandiant’s findings for additional insights into the ongoing investigation.
By acting swiftly and staying informed, organisations can protect their networks from further exploitation of this critical vulnerability.
