Threat Alert: Critical Vulnerability in FortiManager Under Active Exploitation
INFORMATIONAL ONLY
A new zero-day vulnerability, CVE-2024-47575, has been identified in Fortinet's FortiManager and FortiManager Cloud. This vulnerability, known as "FortiJump," has been actively exploited since at least June 2024 by a threat actor group tracked as UNC5820.
The vulnerability allows attackers to exploit the FortiManager's FGFM API, which can be accessed with stolen or compromised device certificates, enabling them to execute arbitrary code on FortiManager systems.
The primary risk associated with this vulnerability is the ability to exfiltrate sensitive data, including configuration details of managed FortiGate devices, hashed passwords, and other critical information. While no evidence of malware installation or backdoor deployment has been observed, the stolen data could be used for further attacks, including lateral movement within enterprise networks.
Fortinet has provided three workarounds for the flaw depending on the current version of FortiManager installed:
- FortiManager versions 7.0.12 or above, 7.2.5 or above, 7.4.3 or above: Prevent unknown devices to attempt to register
- FortiManager versions 7.2.0 and above: Add local-in policies to allow-list the IP addresses of FortiGates that are allowed to connect
- FortiManager versions 7.2.2 and above, 7.4.0 and above, 7.6.0 and above: Use a custom certificate
Given the widespread use of FortiManager in managing enterprise security systems, it’s crucial for organizations to act quickly to prevent further exploitation.
