FortiManager Zero-Day Has Been Exploited Since July 2024
A zero-day vulnerability in Fortinet’s FortiManager appliances is being mass exploited by at least one threat actor. The first known instance of exploitation was on June 27, 2024.
The critical vulnerability is tracked as CVE-2024-47575 has been assigned a CVSS v3.1 severity score of 9.8. The vulnerability, dubbed FortiJump by security researcher Kevin Beaumont, is due to missing authentication for a critical function in the FortiManager fgfmd daemon and allows an unauthenticated attacker to use a FortiManager device to execute arbitrary code or commands against vulnerable FortiManager devices.
In order to successfully exploit the vulnerability, an attacker requires a valid Fortinet device certificate. The certificate could be obtained from an existing Fortinet device and could be reused for multiple attacks. According to Fortinet, attacks exploiting the vulnerability have involved an automated script that exfiltrates files from FortiManager. Those files contain IP addresses, credentials, and device configurations. So far, Fortinet has not detected any modified databases or connections, and the vulnerability does not appear to have been used to deploy malware or backdoors on FortiManager systems, only to steal data.
The threat actor(s) behind the exploitation of the vulnerability has not been identified. Mandiant is tracking the threat actor as UNC5820 and has identified 50+ potential victims. Due to the length of time that the vulnerability is known to have been exploited, simply upgrading to a patched version is insufficient. Mandiant recommends all users of vulnerable products that are exposed to the Internet should conduct a forensic investigation immediately.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
FortiManager Versions Affected by CVE-2024-47575
| Affected Product | Affected Versions | Patched Versions |
| FortiManager 7.6 | 7.6.0 | 7.6.1 and above |
| FortiManager 7.4 | 7.4.0 through 7.4.4 | 7.4.5 and above |
| FortiManager 7.2 | 7.2.0 through 7.0.7 | 7.2.8 and above |
| FortiManager 7.0 | 7.0.0 through 7.1.12 | 7.0.13 and above |
| FortiManager 6.4 | 6.4.0 through 6.4.14 | 6.4.15 and above |
| FortiManager 6.2 | 6.2.0 through 6.2.12 | 6.2.13 and above |
| FortiManager Cloud 7.4 | 7.4.1 through 7.4.4 | 7.4.5 and above |
| FortiManager Cloud 7.2 | 7.2.1 through 7.2.7 | 7.2.8 and above |
| FortiManager Cloud 7.0 | 7.0.1 through 7.0.12 | 7.0.13 and above |
| FortiManager Cloud 6.4 | All versions | Upgrade to a fixed version |
| FortiAnalyzer | 1000E, 1000F, 2000E, 3000E, 3000F, 3000G, 3500E, 3500F, 3500G, 3700F, 3700G, 3900E with FortiManager on FortiAnalyzer enabled with the configuration:
config system global and at least one interface with fgfm service enabled |
Follow Fortinet guidance |
Fortinet has published workarounds if it is not possible to immediately upgrade to a patched version. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently added the vulnerability to its Known Exploited Vulnerability (KEV) Catalog and has given Federal Civilian Executive Branch (FCEB) agencies until November 13, 2024, to update to a fixed version.
Actively Exploited Microsoft SharePoint Flaw
CISA has also recently added a Microsoft SharePoint vulnerability to its KEV Catalog. The vulnerability is tracked as CVE-2024-38097 and has a CVSS score of 7.2. This is a deserialization vulnerability that could potentially lead to remote code execution. In order to exploit the vulnerability, an attacker would need to be authenticated with Site Owner permissions. If so, it is possible to inject and execute arbitrary code in the context of the SharePoint server. Microsoft released patches for the flaw on July 2024 Patch Tuesday.
