Fortinet FortiManager CVE-2024-47575 Exploited in Zero-Day Attacks

Last updated at Fri, 25 Oct 2024 20:33:24 GMT

On Wednesday, October 23, 2024, security company Fortinet published an advisory on CVE-2024-47575, a critical zero-day vulnerability affecting their FortiManager network management solution. The vulnerability arises from a missing authentication for a critical function [CWE-306] in the FortiManager fgfmd daemon that allows a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests. The vulnerability carries a CVSS v3 score of 9.8.

Fortinet’s advisory notes that CVE-2024-47575 has been “reported” as exploited in the wild. Rapid7 customers have also reported receiving communications from service providers indicating the vulnerability may have been exploited in their environments. According to the vendor, “The identified actions of this attack in the wild have been to automate via a script the exfiltration of various files from the FortiManager which contained the IPs, credentials and configurations of the managed devices.” Rapid7 strongly recommends reviewing the vendor advisory for indicators of compromise and mitigation strategies.

Background

Since roughly October 13, there have been private industry discussions and a number of public posts on Reddit, Twitter, and Mastodon about a rumored zero-day vulnerability in FortiManager. Public Reddit conversations indicated that Fortinet contacted some of their customers by email circa October 15 to “privately disclose” a FortiManager vulnerability and advise on mitigations. Despite embargoed communications and the publication of several news articles, neither a public advisory nor a CVE was issued until October 23.

On the evening of October 22, high-profile cybersecurity researcher Kevin Beaumont published a blog alleging that a state-sponsored adversary has been using this FortiManager zero-day vulnerability in espionage attacks. While Fortinet’s advisory doesn’t include any information about specific adversaries exploiting the vulnerability, Fortinet devices have long been popular targets for state-sponsored threat actors.

Mitigation guidance

Per Fortinet’s advisory, the following versions of FortiManager are vulnerable to CVE-2024-47575 and have mitigation guidance available:

• FortiManager 7.6.0
• FortiManager 7.4.0 through 7.4.4
• FortiManager 7.2.0 through 7.2.7
• FortiManager 7.0.0 through 7.0.12
• FortiManager 6.4.0 through 6.4.14
• FortiManager 6.2.0 through 6.2.12
• FortiManager Cloud 7.4.1 through 7.4.4
• FortiManager Cloud 7.2 (all versions)
• FortiManager Cloud 7.0 (all versions)
• FortiManager Cloud 6.4 (all versions)

The advisory indicates FortiManager Cloud 7.6 is not affected.

FortiManager customers should update to a supported, fixed version on an emergency basis, without waiting for a regular patch cycle to occur. See the vendor advisory for the latest list of fixed versions. A workaround is also available for some versions.

Fortinet’s advisory also includes a list of indicators of compromise (IOCs) that FortiManager customers should look for in their environments.

Rapid7 customers

InsightVM and Nexpose customers can assess their exposure to CVE-2024-47575 with an authenticated check for FortiManager available in the Wednesday, October 23 content release.

InsightIDR and Managed Detection and Response customers have existing detection coverage through Rapid7's expansive library of detection rules. Rapid7 recommends installing the Insight Agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage. Our detection library will alert on post-exploitation behaviors related to this zero-day vulnerability as they occur.