For an instance of FortiManager to be exploitable by this vulnerability (FortiJump), the FGFM protocol (tcp/541 or tcp/542 if using IPv6) needs to be exposed to the internet, either by the FortiManager instance or a FortiGate device which is connected to a vulnerable FortiManager instance. This is because the FGFM protocol can allow access to FortiManager devices which are behind NAT if a FortiGate product is exposed to the internet and has FGFM enabled.
FGFM needs to be enabled, this is now disabled by default following the patch for CVE-2024-23113.
Mandiant have a comprehensive article on this weakness, its use in the wild by threat actors, IOCs and mitigation strategies.
Intruder customers can use the attack surface view to find out if they have port tcp/541 exposed to the internet.
Overview
A missing authentication for critical function in FortiManager 7.6.0, FortiManager 7.4.0 through 7.4.4, FortiManager 7.2.0 through 7.2.7, FortiManager 7.0.0 through 7.0.12, FortiManager 6.4.0 through 6.4.14, FortiManager 6.2.0 through 6.2.12, Fortinet FortiManager Cloud 7.4.1 through 7.4.4, FortiManager Cloud 7.2.1 through 7.2.7, FortiManager Cloud 7.0.1 through 7.0.12, FortiManager Cloud 6.4.1 through 6.4.7 allows attacker to execute arbitrary code or commands via specially crafted requests.