Introduction

CVE-2024-47575 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12], also known as “FortiJump,” is a critical zero-day vulnerability affecting Fortinet’s FortiManager network management solution. This vulnerability, classified as “missing authentication for critical functions,” allows remote attackers to exploit weaknesses in the FortiGate-to-FortiManager protocol. The vulnerability has a high severity score and is actively being exploited, necessitating immediate attention and mitigation efforts.

Description

CVE-2024-47575 arises from missing authentication in the fgfmd daemon [2] [4] [9], enabling remote [1] [2] [4] [9] [12], unauthenticated attackers to send specially crafted requests. It affects multiple versions [2] [3] [6], including 7.6.0, 7.4.0 through 7.4.4, 7.2.0 through 7.2.7, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14 [3] [6] [9] [11], and 6.2.0 through 6.2.12 [3] [6] [9] [11], as well as FortiManager Cloud versions 7.4.1 through 7.4.4, 7.2.1 through 7.2.7, 7.0.1 through 7.0.13 [3] [6] [11], and 6.4.1 through 6.4.7 [3] [6] [11]. Notably, FortiManager Cloud version 7.6 is not affected [9].

The vulnerability has a CVSS score of 9.8 out of 10 [4] [5] [9], with a base score of 10 according to CVSS2 [3], indicating critical severity [3]. It is actively exploited [2] [9] [10] [11] [12], with attackers automating the exfiltration of sensitive data from managed devices, including IP addresses, credentials [1] [2] [4] [7] [9] [10] [11], and configurations [1] [2] [4] [7] [9] [10] [11]. Fortinet has confirmed that exploitation requires a valid Fortinet device certificate, obtainable from existing devices [1]. However, there is no evidence of malware deployment, backdoors [1] [7], modified databases [7], or unauthorized connections to managed devices [7].

To mitigate the risk, Fortinet has provided specific workarounds based on the FortiManager version:

  • For versions 7.0.12 or above, 7.2.5 or above [1], and 7.4.3 or above (excluding 7.6.0): Prevent unknown devices from attempting to register [1].
  • For versions 7.2.0 and above: Implement local-in policies to allow-list IP addresses of FortiGates permitted to connect.
  • For versions 7.2.2 and above, 7.4.0 and above, and 7.6.0 and above: Use a custom certificate [1].

CVE-2024-47575 is included in the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities Catalog [7], mandating federal agencies to implement fixes by November 13, 2024 [1], per Binding Operational Directive (BOD) 22-01 [8]. While this directive specifically applies to Federal Civilian Executive Branch (FCEB) agencies, all organizations are strongly recommended to prioritize timely remediation to reduce exposure to cyberattacks. Fortinet has communicated critical information and resources to customers and published a public advisory with mitigation guidance [1], including indicators of compromise (IOCs) for monitoring [9].

The mass exploitation of FortiManager appliances linked to CVE-2024-47575 is attributed to a threat cluster named UNC5820 by Mandiant [1]. Over 50 potentially compromised devices have been identified [1], with evidence of exploitation dating back to June 27, 2024. UNC5820 has exfiltrated configuration data from FortiManager [1] [2], including detailed information about managed FortiGate devices and user credentials [1]. However, there is no evidence of further exploitation or lateral movement within networks [1]. The origins and motivations of UNC5820 remain unclear [1].

For customers seeking to assess their exposure to CVE-2024-47575, Rapid7 offers an authenticated check for InsightVM and Nexpose users. Existing detection coverage is available for InsightIDR and Managed Detection and Response customers [9], with recommendations to install the Insight Agent for enhanced visibility into suspicious activities related to this vulnerability [9]. Fortinet urges customers to implement the provided workarounds and fixes to enhance their security posture [5]. Users and administrators are advised to refer to Fortinet Advisory FG-IR-24-423 for necessary patches and mitigations [8], and additional information on investigating the zero-day exploitation of FortiManager related to this CVE can be found in resources from Google Threat Intelligence [8]. Organizations are also advised to change credentials for all managed devices due to potential data exfiltration from the FortiManager database [11].

Conclusion

The critical nature of CVE-2024-47575, combined with its active exploitation, underscores the importance of immediate mitigation efforts. Organizations must prioritize the implementation of Fortinet’s recommended workarounds and patches to safeguard their systems. The inclusion of this vulnerability in CISA’s Known Exploited Vulnerabilities Catalog highlights its significance and the need for vigilance. As the threat landscape evolves, continuous monitoring and timely updates are essential to protect against potential cyber threats.

References

[1] https://thehackernews.com/2024/10/fortinet-warns-of-critical.html
[2] https://www.helpnetsecurity.com/2024/10/24/cve-2024-47575/
[3] https://www.tenable.com/cve/CVE-2024-47575
[4] https://www.darkreading.com/vulnerabilities-threats/critical-bug-exploited-fortinet-management-console
[5] https://www.crn.com/news/security/2024/critical-fortimanager-flaw-has-seen-exploitation-since-june-mandiant
[6] https://nvd.nist.gov/vuln/detail/CVE-2024-47575
[7] https://www.csoonline.com/article/3586092/critical-fortinet-vulnerability-finds-zero-day-rce-exploits.html
[8] https://www.cisa.gov/news-events/alerts/2024/10/23/cisa-adds-one-known-exploited-vulnerability-catalog
[9] https://www.rapid7.com/blog/post/2024/10/23/etr-fortinet-fortimanager-cve-2024-47575-exploited-in-zero-day-attacks/
[10] https://siliconangle.com/2024/10/24/critical-vulnerability-fortinets-fortimanager-exploited-wild/
[11] https://digital.nhs.uk/cyber-alerts/2024/cc-4567
[12] https://www.techtarget.com/searchSecurity/news/366614476/Fortinet-discloses-critical-zero-day-flaw-in-FortiManager