Fortinet has warned of a critical vulnerability in its FortiManager management platform, a tool that defines network and security policies for all its products.
At least one threat actor with state-level support has benefited from this critical vulnerability, the first instance of which was detected on June 27, 2024, and which allows data to be extracted from endpoints managed by FortiManager.
The critical vulnerability monitored as CVE-2024-47575 has an assigned CVSS v3.1 severity score of 9.8. Security researcher Kevin Beaumont named the vulnerability FortiJump because of a lack of authentication for critical functionality in the FortiManager fgfmd daemon. When exploited, an unauthenticated attacker could use a FortiManager device to implement arbitrary code or commands in unsecured FortiManager devices.
To succeed in exploiting the vulnerability, an attacker needs an authorized Fortinet device certificate. The certificate may be acquired from an active Fortinet device and may be used several times for attacks. As per Fortinet, attackers who take advantage of the vulnerability employ an automated script to extract files from FortiManager. The files include data, such as IP addresses, device settings, and credentials. Fortinet did not find any altered databases or links, and the vulnerability doesn’t seem to have been employed to download backdoors or malware on FortiManager systems. The attackers only stole information.
The threat actor(s) responsible for exploiting the vulnerability is not yet known. Mandiant is monitoring threat actor UNC5820 and has discovered 50+ prospective victims. Because of the known duration that the vulnerability has been exploited, it is not enough to just upgrade to a patched version. Mandiant advises all people who have vulnerable products that are connected online must perform a forensic investigation without delay.
Below is the list of FortiManager versions impacted by vulnerability CVE-2024-47575 followed by the patched versions:
- FortiManager 7.6 version 7.6.0; patched versions 7.6.1 and above
- FortiManager 7.4 versions 7.4.0 through 7.4.4; patched versions 7.4.5 and above
- FortiManager 7.2 versions 7.2.0 through 7.0.7; patched versions 7.2.8 and above
- FortiManager 7.0 versions 7.0.0 through 7.1.12; patched versions 7.0.13 and above
- FortiManager 6.4 versions 6.4.0 through 6.4.14; patched versions 6.4.15 and above
- FortiManager 6.2 versions 6.2.0 through 6.2.12; patched versions 6.2.13 and above
- FortiManager Cloud 7.4 versions 7.4.1 through 7.4.4; patched versions 7.4.5 and above
- FortiManager Cloud 7.2 versions 7.2.1 through 7.2.7; patched versions 7.2.8 and above
- FortiManager Cloud 7.0 versions 7.0.1 through 7.0.12; patched versions 7.0.13 and above
- FortiManager Cloud 6.4 all versions; upgrade to a fixed version
For FortiAnalyzer versions 1000E, 1000F, 2000E, 3000E, 3000F, 3000G, 3500E, 3500F, 3500G, 3700F, 3700G, 3900E, there are no patched versions. The recommendation is to follow Fortinet’s workaround instructions.
Fortinet has shared workarounds in case upgrading to a patched version is not possible right away. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) lately listed the vulnerability on its Known Exploited Vulnerability (KEV) Catalog. The Federal Civilian Executive Branch (FCEB) agencies have up to November 13, 2024 to upgrade to a fixed version.
With the use of Internet-of-Medical-Things (IoMT) devices and digital solutions, many healthcare providers use Fortinet’s security solutions to protect their healthcare systems, information, and devices against cyber attacks and to ensure HIPAA compliance. This information regarding the identified zero-day vulnerability is important to healthcare organizations using Fortinet products.
Image credits: Timon, AdobeStock
