Urgent Security Advisory: Fortinet FortiManager Vulnerability CVE-2024-47575

Fortinet users, take note: a severe vulnerability has been detected in FortiManager, putting your networks at serious risk. Cybercriminals are actively exploiting the recently discovered zero-day vulnerability, CVE-2024-47575 (CVSS 9.8), allowing remote attackers to execute arbitrary code through specially crafted requests. Fortinet has responded, providing workarounds, but upgrading to an unaffected version will fully resolve the issue.

What you need to know about vulnerability CVE-2024-47575 

The vulnerability (CWE-306: Missing Authentication for Critical Function) in the FortiManager fgfmd daemon can allow remote, unauthenticated attackers to gain full control of the system, potentially executing malicious code or commands. Given its high CVSS score (9.8), this vulnerability poses a critical risk to organisations relying on FortiManager to protect and manage their FortiGate deployments. 

Affected versions 

The following FortiManager versions are affected: 

• FortiManager 7.6: 7.6.0 — Upgrade to 7.6.1 or above 

• FortiManager 7.4: 7.4.0 through 7.4.4 — Upgrade to 7.4.5 or above 

• FortiManager 7.2: 7.2.0 through 7.2.7 — Upgrade to 7.2.8 or above 

• FortiManager 7.0: 7.0.0 through 7.0.12 — Upgrade to 7.0.13 or above 

• FortiManager 6.4: 6.4.0 through 6.4.14 — Upgrade to 6.4.15 or above 

• FortiManager 6.2: 6.2.0 through 6.2.12 — Upgrade to 6.2.13 or above 

The impact also extends to FortiManager Cloud users, requiring them to upgrade various versions from 6.4 to 7.4 to the latest release.

e2e-assure’s Recommendations: What you should do now 

Fortinet advises upgrading to a fixed version as soon as possible. Below are the recommended mitigation steps if upgrading isn’t immediately feasible: 

1. Prevent unknown devices from registering: For FortiManager versions 7.0.12 or above, 7.2.5 or above, and 7.4.3 or above (excluding 7.6.0), configure the system to deny unknown devices attempting to register.
   Warning: FortiGate devices not explicitly listed will not register, even if model devices with pre-shared keys are set up.
2. Add local-in policies: For FortiManager versions 7.2.0 and above, add local-in policies to whitelist IP addresses of allowed FortiGate connections.
3. Use custom certificates: For versions 7.2.2 and above, 7.4.0 and above, and 7.6.0 and above, configure FortiManager to use a custom certificate, which mitigates this vulnerability. 

For more information, visit https://www.fortiguard.com/psirt/FG-IR-24-423 

How to detect signs of exploitation with vulnerability CVE-2024-47575: 

Closely monitor network traffic patterns and FortiManager logs to detect signs of this vulnerability being exploited. Indicators of compromise (IoCs) may include unusual or unexpected connections to the fgfmd daemon, especially from external or untrusted IP addresses.  

Look for the following signs: 

• Unusual Login Attempts: Monitor repeated login attempts or access from IP addresses that are not typically associated with your infrastructure.

• Network Traffic Anomalies: Increased or abnormal traffic on port 541, which is used for FortiManager communications. This may indicate attempts to exploit the vulnerability. 

• Suspicious Commands Executed: Check logs for any unusual commands executed by the fgfmd daemon, particularly those that are not part of routine operations. 

• Unauthorized Configuration Changes: Unexpected changes in system configurations could be a sign that an attacker has gained access. 

Why does vulnerability CVE-2024-47575 matter? 

Due to the nature of this vulnerability, once exploited threat actors can gain full control of operating systems, potentially causing significant impact to business operations due to loss of system control and the risk of a data breach.  

Staying secure 

e2e-assure are aware of the ongoing activity and continue to follow advice on detection as well as continuing to be vigilant on the detections we have in place. Internally we recommend organisations remain vigilant by regularly checking for updates, patching vulnerabilities as soon as fixes are released, and only taking advice from trusted sources. We recommend visiting Fortinet’s official advisory page or consult with your security provider to ensure your infrastructure is secure. 

How we can help? 

For e2e-assure customers, our team is here to assist with implementing mitigations and upgrades. If you have questions about this vulnerability or need assistance, please reach out to your account manager. 

For non e2e-assure customers, we recommend visiting Fortinet’s official advisory page or consulting with your security provider. If you do not have a security provider, contact us for support.  

You can find our full list of Threat Intelligence reports with monthly updates on subjects like this here: https://e2e-assure.com/threat-intelligence-summaries/