CVE-2024-47575

Published Oct 23, 2024

Last updated 3 hours ago

Insights

Analysis from the Intruder Security Team
Published Oct 24, 2024 Updated Oct 24, 2024

For an instance of FortiManager to be exploitable by this vulnerability (FortiJump), the FGFM protocol (tcp/541 or tcp/542 if using IPv6) needs to be exposed to the internet, either by the FortiManager instance or a FortiGate device which is connected to a vulnerable FortiManager instance. This is because the FGFM protocol can allow access to FortiManager devices which are behind NAT if a FortiGate product is exposed to the internet and has FGFM enabled.

FGFM needs to be enabled, this is now disabled by default following the patch for CVE-2024-23113.

Mandiant have a comprehensive article on this weakness, its use in the wild by threat actors, IOCs and mitigation strategies.

Intruder customers can use the attack surface view to find out if they have port tcp/541 exposed to the internet.

Overview

A missing authentication for critical function in FortiManager 7.6.0, FortiManager 7.4.0 through 7.4.4, FortiManager 7.2.0 through 7.2.7, FortiManager 7.0.0 through 7.0.12, FortiManager 6.4.0 through 6.4.14, FortiManager 6.2.0 through 6.2.12, Fortinet FortiManager Cloud 7.4.1 through 7.4.4, FortiManager Cloud 7.2.1 through 7.2.7, FortiManager Cloud 7.0.1 through 7.0.12, FortiManager Cloud 6.4.1 through 6.4.7 allows attacker to execute arbitrary code or commands via specially crafted requests.
psirt@fortinet.com
Analyzed

Risk scores

CVSS 3.1

Primary
9.8
5.9
3.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CRITICAL

Known exploits

Data from CISA

Fortinet FortiManager Missing Authentication Vulnerability

Oct 23, 2024

Nov 13, 2024

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Weaknesses

CWE-306

Configurations