FortiJump CVE-2024-47575 is a critical FortiManager vulnerability that allows remote, unauthenticated attackers to execute arbitrary commands. Fortinet released a patch on October 23, 2024, but a large number of devices remain exposed, underscoring the need to apply the fix and restrict FortiManager access. #FortiJump #CVE-2024-47575 #FortiManager #UNC5820 #FortiGate #FGFM
Keypoints
- Vulnerability CVE-2024-47575 affects FortiManager deployments.
- First identified in attacks by UNC5820 starting June 27, 2024.
- Patch released by Fortinet on October 23, 2024, with a CVSS score of 9.8.
- Exploitation allows remote command execution due to missing authentication checks.
- Over 59,000 devices still exposed according to Shodan.
- Attackers can access sensitive data and configurations, enabling lateral movement.
- Mitigation strategies include applying patches and limiting access to FortiManager.
- Securonix ATS will monitor for known IOCs.
MITRE Techniques
- [T1203] Exploitation for Client Execution – Exploiting vulnerabilities to execute commands on affected systems. Quote: ‘remote, unauthenticated attackers to execute arbitrary commands on the affected systems.’
- [T1003] Credential Dumping – Extracting sensitive data such as hashed passwords from compromised systems. Quote: ‘Extracting sensitive data such as hashed passwords from compromised systems.’
- [T1021] Lateral Movement – Pivoting to other internal systems after gaining access through FortiManager. Quote: ‘Pivoting to other internal systems after gaining access through FortiManager.’
Indicators of Compromise
- [Domain] C2 domains – detankzone.com, ccwaterfall.com
- [IPv4] C2 addresses – 149.28.206.153, 104.238.141.143
- [SHA256] File hashes – 7353AB9670133468081305BD442F7691CF2F2C1136F09D9508400546C417833A, 59A37D7D2BF4CFFE31407EDD286A811D9600B68FE757829E30DA4394AB65A4CC