Insights | Integrity360

Threat Advisory: Critical zero-day vulnerability affecting Fortinet’s FortiManager platform

Written by Integrity360 | 24 October 2024 09:49:44 Z

Severity: Critical
CVSSv3 Score: 9.8 
Date: Oct 23, 2024

A critical zero-day vulnerability (CVE-2024-47575) affecting Fortinet’s FortiManager platform has been identified, with a CVSS score of 9.8. This flaw has been actively exploited since June 2024, enabling attackers to remotely execute commands and steal sensitive configuration data, including information on FortiGate devices, such as IP addresses and credentials. Integrity360 are observing cases in the wild and encourages vulnerable organisations to install the latest patches as soon as possible.

Summary:

CVE-2024-47575 is a critical zero-day vulnerability affecting Fortinet’s FortiManager platform. The flaw, which has been actively exploited since at least June 2024, is a missing authentication vulnerability in the FortiManager’s FGFM (FortiGate to FortiManager) API.

This allows attackers to remotely execute commands and steal sensitive configuration data from FortiManager servers, including information on managed FortiGate devices, such as IP addresses and credentials.

It has been used to automate the exfiltration of files from compromised FortiManager systems, potentially allowing attackers to target downstream networks managed by FortiGate devices.

 

Version            Affected           Solution
FortiManager 7.6      7.6.0                 Upgrade to 7.6.1 or above
FortiManager 7.4      7.4.0 through 7.4.4        Upgrade to 7.4.5 or above
FortiManager 7.2      7.2.0 through 7.2.7         Upgrade to 7.2.8 or above
FortiManager 7.0      7.0.0 through 7.0.12            Upgrade to 7.0.13 or above
FortiManager 6.4      6.4.0 through 6.4.14           Upgrade to 6.4.15 or above
FortiManager 6.2      6.2.0 through 6.2.12            Upgrade to 6.2.13 or above
FortiManager Cloud   7.6  Not affected                         Not Applicable
FortiManager Cloud   7.4    7.4.1 through 7.4.4            Upgrade to 7.4.5 or above
FortiManager Cloud   7.2  7.2.1 through 7.2.7             Upgrade to 7.2.8 or above
FortiManager Cloud   7.0  7.0.1 through 7.0.12             Upgrade to 7.0.13 or above
FortiManager Cloud   6.4 6.4 all versions               Migrate to a fixed release

 

Fortinet has released patched versions (7.0.13, 7.2.8, and 7.4.5) and recommends upgrading immediately. For situations where immediate patching isn't possible, workarounds include:

Blocking unknown devices using the set fgfm-deny-unknown enable command.
Allow-listing specific IP addresses for connecting FortiGate devices.
Implementing certificate-based authentication for FortiManager-FortiGate connections.

Recommended Actions:

Apply patches for the affected versions. If it isn't possible, apply workaround 
Audit logs for suspicious activity

Enhance security configurations to prevent unauthorised access, like Allow-listing.

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.