Fortinet has publicly disclosed a critical zero-day vulnerability in its FortiManager software, identified as CVE-2024-47575. The vulnerability has been actively exploited in the wild.
Due to a missing authentication for a critical function in the FortiManager fgfmd daemon, this vulnerability allows remote unauthenticated attackers to execute arbitrary code or commands through specially crafted requests.
The flaw carries a CVSS v3 score of 9.8, highlighting its severity and potential impact on affected systems.
Reports indicate that the vulnerability has been exploited to automate the exfiltration of sensitive files from FortiManager, including IP addresses, credentials, and managed device configurations.
This exploitation does not appear to involve low-level system installations of malware or backdoors, nor does it modify databases or managed device connections.
However, unauthorized access to sensitive data poses significant security risks to organizations using FortiManager.
Affected Versions and Mitigation
The vulnerability affects multiple versions of FortiManager and FortiManager Cloud:
- FortiManager: Versions 7.6.0, 7.4.0 through 7.4.4, 7.2.0 through 7.2.7, 7.0.0 through 7.0.12, and 6.4.0 through 6.4.14.
- FortiManager Cloud: Versions 7.4.1 through 7.4.4, 7.2 (all versions), and 7.0 (all versions).
Fortinet has released patches for these versions and urges users to upgrade to secure versions immediately. Additionally, workarounds are available for certain versions, including preventing unknown devices from registering and using custom certificates for authentication.
Fortinet recommends taking immediate action to secure affected systems:
- Upgrade: Install the latest patches for FortiManager or migrate to a fixed release if using FortiManager Cloud.
- Review Configurations: Ensure configurations have not been tampered with by comparing them against backups taken before the IoC detection.
- Change Credentials: Update passwords and user-sensitive data for all managed devices.
- Isolate Compromised Systems: Keep compromised FortiManager systems isolated from the internet and configure them in offline mode for comparison with new setups.
This zero-day vulnerability underscores the importance of timely patching and vigilant monitoring of network management tools like FortiManager, which are critical components in many organizational IT infrastructures.
Organizations using FortiManager should act swiftly to mitigate the risks associated with this flaw and ensure their networks remain secure against potential exploits.
Indicators of Compromise
Fortinet has provided several indicators of compromise (IoCs) to help organizations detect if their FortiManager systems have been breached:
- Log entries showing unregistered devices being added.
- Specific IP addresses associated with malicious activity: 45.32.41.202, 104.238.141.143, 158.247.199.37, and 45.32.63.2.
- Files located in
/tmp/.tmand/var/tmp/.tmdirectories.