Fortinet discloses critical zero-day flaw in FortiManager

Fortinet on Wednesday publicly disclosed CVE-2024-47575, a critical zero-day vulnerability in its product management tool FortiManager that has been exploited in the wild.

CVE-2024-47575 is a zero-day flaw with a 9.8 CVSS score. Fortinet described the issue in a security advisory as "A missing authentication for critical function vulnerability [CWE-306] in FortiManager fgfmd daemon may allow a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests."

Many versions of FortiManager and FortiManager Cloud are affected, and patches are available for all versions of the product with the exception of FortiManager Cloud 7.6 (which is the latest version, and to which the flaw is not applicable) and FortiManager Cloud 6.4.0 (which requires migration to a fixed release). Moreover, Fortinet said older FortiAnalyzer models with a relevant feature enabled are also affected by the flaw.

As detailed in the advisory, three workarounds are available. For FortiManager versions 7.0.12 or above, 7.2.5 or above, 7.4.3 or above, but not 7.6.0, users can prevent unknown devices from attempting to register. FortiManager version 7.2.0 can also "add local-in policies to whitelist the IP addresses of FortiGates that are allowed to connect." Lastly, versions 7.2.2 and above, 7.4.0 and above and 7.6.0 and above can use a custom certificate to mitigate the issue.

Indicators of compromise and recovery assistance are also included in the advisory. However, neither complete technical details nor information regarding the scope or nature of exploitation is included within the security advisory.

The vulnerability, dubbed "FortiJump" by security researcher Kevin Beaumont, first came to light Oct. 13 when researchers such as Beaumont warned of a troubling, undisclosed FortiManager flaw that users should mitigate and patch as soon as possible. Fortinet reportedly notified FortiManager customers of the flaw privately. On Mastodon at the time, Beaumont said anyone with an internet-facing instance should "remove it from the internet now."

Over the following days, Fortinet began patching versions of FortiManager and informing some customers of the issue. But for more than a week, the vendor neither publicly disclosed the flaw nor issued a CVE for it.

TechTarget Editorial earlier this week contacted Fortinet for comment on the reported FortiManager vulnerability, but the company did not respond.

Beaumont on Tuesday published a blog post on the vulnerability, and on Wednesday Fortinet publicly disclosed CVE-2024-47575. CISA added the vulnerability to its Known Exploited Vulnerabilities catalog on Wednesday as well.

It's unclear what threat actors are behind the FortiManager flaw and how many customers have been affected. TechTarget Editorial contacted Fortinet for additional information, and the company issued the following statement:

"After identifying this vulnerability (CVE-2024-47575), Fortinet promptly communicated critical information and resources to customers. This is in line with our processes and best practices for responsible disclosure to enable customers to strengthen their security posture prior to an advisory being publicly released to a broader audience, including threat actors. We also have published a corresponding public advisory (FG-IR-24-423) reiterating mitigation guidance, including a workaround and patch updates. We urge customers to follow the guidance provided to implement the workarounds and fixes and to continue tracking our advisory page for updates. We continue to coordinate with the appropriate international government agencies and industry threat organizations as part of our ongoing response."

Fortinet has faced several serious security issues this year. In February, Fortinet disclosed out-of-bounds zero-day vulnerability tracked as CVE-2024-21762, as well as critical remote code execution bug, CVE-2024-23113. Both have been exploited in the wild. And last month, the vendor confirmed it suffered a data breach involving an extortion demand.

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.