Fortinet has confirmed that a critical zero-day vulnerability affecting its FortiManager network management solution is being exploited in the wild.
In an October 23 security advisory, the cybersecurity provider shared more information on CVE-2024-47575, a vulnerability allowing threat actors to use a compromised FortiManager device to execute arbitrary code or commands against other FortiManager devices.
This vulnerability, which carries a common vulnerability severity score (CVSS) of 9.8, is the result of a missing authentication for a critical function (CWE-306) in the FortiManager fgfmd daemon that allows a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests.
According to Fortinet, the following FortiManager instances are vulnerable to CVE-2024-47575:
- FortiManager 7.6.0
- FortiManager 7.4.0 through 7.4.4
- FortiManager 7.2.0 through 7.2.7
- FortiManager 7.0.0 through 7.0.12
- FortiManager 6.4.0 through 6.4.14
- FortiManager 6.2.0 through 6.2.12
- FortiManager Cloud 7.4.1 through 7.4.4
- FortiManager Cloud 7.2 (all versions)
- FortiManager Cloud 7.0 (all versions)
- FortiManager Cloud 6.4 (all versions)
Fortinet said FortiManager customers should update to a supported, fixed version on an emergency basis without waiting for a regular patch cycle to occur. A workaround is also available for some versions.
Several security researchers, including Kevin Beaumont and Mandiant researchers, reported that the zero-day vulnerability is being exploited in the wild.
The US Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog.
Read more: Beyond Disclosure: Transforming Vulnerability Data Into Actionable Security
Fortinet’s Slow Response Under Scrutiny
The rumor about a vulnerability in FortiManager started spreading in forums and social media in mid-October.
Notably, a public Reddit conversation indicated that Fortinet contacted some of their customers by email circa October 15 to “privately disclose” a FortiManager vulnerability and advise on mitigations.
On October 22, security researcher Kevin Beaumont claimed in a blog post that a state-sponsored actor used this FortiManager zero-day vulnerability, which he called ‘FortiJump’ in espionage attacks.
He said that nearly 60,000 FortiManager instances are exposed on the internet, with more than 13,200 in the US.
He also criticized Fortinet’s lack of response, with the vulnerability neither confirmed by the manufacturer nor was allocated a CVE number when Beaumont published his blog post.
Read more: How to Disclose, Report and Patch a Software Vulnerability
“I’m not confident that Fortinet’s narrative that they’re protecting customers by not publicly disclosing a vulnerability is protecting customers. This vulnerability has been under widespread exploitation for a while,” he wrote. “It doesn’t protect anybody by not being transparent… except maybe themselves, and any governments that don’t want to be embarrassed.”
Mandiant’s FortiJump Exploitation Analysis
In a new report, Mandiant said it is collaborating with Fortinet to investigate the mass exploitation of FortiManager appliances across 50+ potentially compromised FortiManager devices in various industries.
“Mandiant observed a new threat cluster we now track as UNC5820 exploiting the FortiManager vulnerability as early as June 27, 2024,” the Mandiant researchers wrote.
UNC5820 staged and exfiltrated the configuration data of the FortiGate devices managed by the exploited FortiManager. This data contains detailed configuration information of the managed appliances as well as the users and their FortiOS256-hashed passwords.
“This data could be used by UNC5820 to further compromise the FortiManager, move laterally to the managed Fortinet devices, and ultimately target the enterprise environment,” Mandiant continued.
However, the threat intelligence firm said it lacks sufficient data to confirm whether UNC5820 is a state-sponsored threat actor or where it is based.
“Organizations that may have their FortiManager exposed to the internet should conduct a forensic investigation immediately,” Mandiant concluded.
Earlier in October, CISA added another critical flaw impacting Fortinet FortiOS, FortiPAM, FortiProxy, and FortiWeb (CVE-2024-23113, CVSS score: 9.8) to its KEV catalog based on evidence of in-the-wild exploitation.
Photo credit: Sundry Photography/JHVEPhoto/Shutterstock