Fortinet has confirmed that a critical zero-day vulnerability affecting its FortiManager network management solution is being exploited in the wild.
In an October 23 security advisory, the cybersecurity provider shared more information on CVE-2024-47575, a vulnerability allowing threat actors to use a compromised FortiManager device to execute arbitrary code or commands against other FortiManager devices.
This vulnerability, which carries a common vulnerability severity score (CVSS) of 9.8, is the result of a missing authentication for a critical function (CWE-306) in the FortiManager fgfmd daemon that allows a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests.
According to Fortinet, the following FortiManager instances are vulnerable to CVE-2024-47575:
- FortiManager 7.6.0
- FortiManager 7.4.0 through 7.4.4
- FortiManager 7.2.0 through 7.2.7
- FortiManager 7.0.0 through 7.0.12
- FortiManager 6.4.0 through 6.4.14
- FortiManager 6.2.0 through 6.2.12
- FortiManager Cloud 7.4.1 through 7.4.4
- FortiManager Cloud 7.2 (all versions)
- FortiManager Cloud 7.0 (all versions)
- FortiManager Cloud 6.4 (all versions)
Fortinet said FortiManager customers should update to a supported, fixed version on an emergency basis without waiting for a regular patch cycle to occur. A workaround is also available for some versions.
Several security researchers, including Kevin Beaumont and Mandiant researchers, reported that the zero-day vulnerability is being exploited in the wild.
The US Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog.
Read more: Beyond Disclosure: Transforming Vulnerability Data Into Actionable Security
Fortinet’s Slow Response Under Scrutiny
The rumor about a vulnerability in FortiManager started spreading in forums and social media in mid-October.
Notably, a public Reddit conversation indicated that Fortinet contacted some of their customers by email circa October 15 to “privately disclose” a FortiManager vulnerability and advise on mitigations.
On October 22, security researcher Kevin Beaumont claimed in a blog post that a state-sponsored actor used this FortiManager zero-day vulnerability, which he called ‘FortiJump’ in espionage attacks.
He said that nearly 60,000 FortiManager instances are exposed on the internet, with more than 13,200 in the US.
He also criticized Fortinet’s lack of response, with the vulnerability neither confirmed by the manufacturer nor was allocated a CVE number when Beaumont published his blog post.
Read more: How to Disclose, Report and Patch a Software Vulnerability
“I’m not confident that Fortinet’s narrative that they’re protecting customers by not publicly disclosing a vulnerability is protecting customers. This vulnerability has been under widespread exploitation for a while,” he wrote. “It doesn’t protect anybody by not being transparent… except maybe themselves, and any governments that don’t want to be embarrassed.”
Mandiant’s FortiJump Exploitation Analysis
In a new report, Mandiant said it is collaborating with Fortinet to investigate the mass exploitation of FortiManager appliances across 50+ potentially compromised FortiManager devices in various industries.
“Mandiant observed a new threat cluster we now track as UNC5820 exploiting the FortiManager vulnerability as early as June 27, 2024,” the Mandiant researchers wrote.
UNC5820 staged and exfiltrated the configuration data of the FortiGate devices managed by the exploited FortiManager. This data contains detailed configuration information of the managed appliances as well as the users and their FortiOS256-hashed passwords.
“This data could be used by UNC5820 to further compromise the FortiManager, move laterally to the managed Fortinet devices, and ultimately target the enterprise environment,” Mandiant continued.
However, the threat intelligence firm said it lacks sufficient data to confirm whether UNC5820 is a state-sponsored threat actor or where it is based.
“Organizations that may have their FortiManager exposed to the internet should conduct a forensic investigation immediately,” Mandiant concluded.
Earlier in October, CISA added another critical flaw impacting Fortinet FortiOS, FortiPAM, FortiProxy, and FortiWeb (CVE-2024-23113, CVSS score: 9.8) to its KEV catalog based on evidence of in-the-wild exploitation.
Contacted by Infosecurity, a Fortinet spokesperson responded to the criticism regarding the timing of the firm's communications: "After identifying the CVE-2024-47575 vulnerability, Fortinet promptly communicated critical information and resources to customers. This is in line with our processes and best practices for responsible disclosure to enable customers to strengthen their security posture prior to an advisory being publicly released to a broader audience, including threat actors."
"We also have published a corresponding public advisory (FG-IR-24-423) reiterating mitigation guidance, including a workaround and patch updates. We urge customers to follow the guidance provided to implement the workarounds and fixes and to continue tracking our advisory page for updates. We continue to coordinate with the appropriate international government agencies and industry threat organizations as part of our ongoing response."
This article was updated on October 25 to add Fortinet's response.
Photo credit: Sundry Photography/JHVEPhoto/Shutterstock