Fortinet, a prominent cybersecurity company, has disclosed a critical vulnerability in its FortiManager API, tracked as CVE-2024-47575, which has been exploited in ongoing zero-day attacks. The flaw allows attackers to steal sensitive data, including configuration files, IP addresses, and credentials of managed devices.
Fortinet began warning FortiManager customers privately about the issue on October 13th through emails outlining mitigation steps. However, news of the vulnerability started spreading online as customers shared their experiences on Reddit, and cybersecurity researcher Kevin Beaumont discussed it on Mastodon. Beaumont dubbed the vulnerability “FortiJump” after the attack method used by threat actors.
Zero-Day Vulnerability in FortiManager
This critical flaw has been rated 9.8 out of 10 in severity. According to Fortinet’s security advisory (FG-IR-24-423), the vulnerability stems from a missing authentication process in a critical function within the FortiManager fgfmd daemon. This flaw can allow an unauthenticated attacker to execute arbitrary code by sending specially crafted requests.
The exploitation of this flaw requires attackers to first extract a valid certificate from a Fortinet device, such as a FortiManager VM. Once they have this certificate, they can exploit the vulnerability to gain access to sensitive systems.
Affected Versions and Patches
FortiManager versions affected by the vulnerability include:
- FortiManager 7.6.0 and earlier (upgrade to 7.6.1 or later)
- FortiManager 7.4.0 – 7.4.4 (upgrade to 7.4.5 or later)
- FortiManager 7.2.0 – 7.2.7 (upgrade to 7.2.8 or later)
- FortiManager 7.0.0 – 7.0.12 (upgrade to 7.0.13 or later)
- FortiManager 6.4.0 – 6.4.14 (upgrade to 6.4.15 or later)
- FortiManager 6.2.0 – 6.2.12 (upgrade to 6.2.13 or later)
- FortiManager Cloud versions 7.0.0 to 7.4.4 are also affected.
At the time of disclosure, only patches for FortiManager versions 7.2.8 and 7.4.5 had been released, with patches for other versions expected in the coming days.
Attack Method: Exploiting the FortiGate to FortiManager Protocol
The vulnerability revolves around the FortiGate to FortiManager Protocol (FGFM), which allows FortiGate firewall devices to register with FortiManager servers for centralized management. FGFM is commonly used in setups where network address translation (NAT) is employed, allowing FortiGate units to communicate securely with FortiManager over public and private networks.
As noted by Beaumont, attackers can exploit this protocol by using a stolen certificate to establish an SSL tunnel between a compromised FortiGate device and an exposed FortiManager server. Once connected, attackers can execute code remotely, access configurations, and potentially escalate their privileges across managed devices.
Early Exploitation and Delayed Notification
Fortinet customers have reported that their systems were breached even before the company issued private warnings. A now-deleted Reddit post mentioned that one customer had been attacked weeks before receiving the notification email from Fortinet, indicating that the vulnerability had been actively exploited for some time.
Fortinet’s delayed public disclosure and the absence of a clear, timely advisory have left many administrators scrambling to secure their systems. As more customers report similar attacks, there is growing frustration within the community over the lack of transparency and prompt action by Fortinet.
Protecting Your Systems
Fortinet advises all customers to upgrade their FortiManager installations to the latest patched versions as soon as possible. With the vulnerability actively being exploited in the wild, these updates are critical to safeguarding networks from further attacks. Customers should also review their systems for any unauthorized devices or unusual activity, particularly related to SSL tunnel connections.
Fortinet’s response to the CVE-2024-47575 vulnerability highlights the importance of staying vigilant and promptly applying security updates, especially in critical network management tools like FortiManager.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. As part of our commitment to supporting businesses in their compliance journey, we offer CMMC (Cybersecurity Maturity Model Certification) preparation services. Our team assists organizations in understanding the CMMC requirements and developing the necessary controls to meet compliance standards, ensuring they are well-prepared for CMMC assessments.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
https://www.netizen.net/contact