Keypoints
- Fortinet published an advisory for CVE-2024-47575 on October 23, 2024.
- The vulnerability stems from missing authentication in the FortiManager fgfmd daemon (CWE-306).
- Remote unauthenticated attackers can send specially crafted requests to execute arbitrary code or commands.
- The issue has a CVSS v3 score of 9.8 and has been reported as exploited in the wild.
- Observed attacks automated file exfiltration of files containing IP addresses, credentials, and device configurations.
- Vulnerable versions include FortiManager 6.2.0 through 7.6.0 and multiple FortiManager Cloud versions; FortiManager Cloud 7.6 is not affected.
- Fortinet provides mitigation steps and IOCs in the advisory; customers should apply emergency updates or available workarounds immediately.
MITRE Techniques
- [T1203] Execution – Exploitation of a FortiManager authentication bypass to execute arbitrary code. Quote: ‘allows a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests.’
- [T1041] Exfiltration – Automated scripts used to remove files from FortiManager containing sensitive data. Quote: ‘The identified actions of this attack in the wild have been to automate via a script the exfiltration of various files from the FortiManager which contained the IPs, credentials and configurations of the managed devices.’
- [T1003] Credential Dumping – Accessing and exfiltrating stored credentials from compromised FortiManager instances. Quote: ‘…contained the IPs, credentials and configurations of the managed devices.’
Indicators of Compromise
- [Exfiltrated files] Files removed from FortiManager containing device details – example: files containing managed-device IPs and credential/configuration files.
- [IP addresses] Managed-device IPs exposed in exfiltrated content – example: IPs of devices managed by FortiManager.
- [Credentials] Account credentials found in exfiltrated data – example: usernames and passwords for managed devices and administrative accounts.
- [Advisory URLs/domains] References and IoC lists published by vendors – example: https://www.fortiguard.com/psirt/FG-IR-24-423, and the Rapid7 advisory page.
On October 23, 2024, Fortinet published an advisory for CVE-2024-47575, a critical zero-day in its FortiManager network management product. The vulnerability exists in the fgfmd daemon and results from a missing authentication check (CWE-306), enabling unauthenticated, remote actors to send specially crafted requests that can execute arbitrary code or run commands. Fortinet assigned the issue a CVSS v3 score of 9.8 and reported active exploitation in the wild.
Public discussion about a potential FortiManager zero-day began around October 13, 2024, with private disclosures to some customers in mid-October and public posts on platforms such as Reddit, Twitter, and Mastodon. Despite those earlier discussions and news coverage, Fortinet’s public advisory and the CVE were not released until October 23. High-profile security researchers subsequently linked the exploit to espionage-style activity, though Fortinet’s advisory did not attribute the attacks to any specific threat actor.
According to Fortinet, observed attacks have automated the extraction of various files from FortiManager systems; those files contained IP addresses, credentials, and configuration details for managed devices. This behavior suggests attackers are harvesting information useful for lateral movement, persistent access, or additional compromise of the managed infrastructure. Rapid7 customers also reported communications from service providers indicating possible exploitation in their environments.
Fortinet’s advisory lists affected versions and provides mitigation guidance. Vulnerable releases include FortiManager versions 6.2.0 through 6.2.12, 6.4.0 through 6.4.14, 7.0.0 through 7.0.12, 7.2.0 through 7.2.7, 7.4.0 through 7.4.4, and 7.6.0, as well as multiple FortiManager Cloud series (7.4.1–7.4.4, all versions of 7.2, 7.0, and 6.4). FortiManager Cloud 7.6 is not affected. Fortinet urges customers to perform emergency updates to fixed versions rather than waiting for routine patch cycles, and notes that workarounds are available for some versions. The advisory also includes indicators of compromise customers should search for in their environments.
For Rapid7 users, authenticated checks for FortiManager exposure to CVE-2024-47575 were planned for release in InsightVM and Nexpose content on October 23, enabling organizations to identify affected systems more quickly and prioritize remediation. Organizations using FortiManager, and managed service providers who rely on it, should immediately review the vendor advisory, apply published fixes or workarounds, and scan for the IOCs described in the advisory.