• Vulnerable U
  • Posts
  • Fortinet: Critical FortiManager Flaw Exploited in Attacks

Fortinet: Critical FortiManager Flaw Exploited in Attacks

Fortinet is warning of a critical flaw in FortiManager, which has been exploited.

Update - Fortinet is urging customers to apply patches for a critical flaw in its FortiManager network management tool, which according to Mandiant researchers has been exploited in attacks since at least June 27.

“The identified actions of this attack in the wild have been to automate via a script the exfiltration of various files from the FortiManager which contained the IPs, credentials and configurations of the managed devices,” according to Fortinet in a Wednesday security advisory. 

Key Details:

  • The flaw (CVE-2024-47575) stems from missing authentication for a critical function in FortiManager fgfmd daemon

  • The vulnerability could enable an unauthenticated attacker to remotely execute arbitrary code or commands through specially crafted requests

  • According to a National Cyber Security Centre advisory that has now been made public, an attacker would need a valid Fortinet certificate extracted from a Fortinet device or VM to exploit the flaw

  • With a CVSS v3 score of 9.8 out of 10, this flaw is critical severity 

  • Fortinet said in its advisory that “reports have shown this vulnerability to be exploited in the wild,” and Mandiant researchers said they have observed at least 50 potential victims targeted in attacks across various industries

Exploitation Activity: There have been some reports about the flaw over the last few weeks, with some customers reportedly being notified, but Fortinet didn’t come out with the public advisory until Wednesday, Oct. 23. In a blog post published Oct. 22, researcher Kevin Beaumont outlined the vulnerability and alleged that it is being exploited in espionage attacks by nation states.

“From the FortiManager, you can then manage the legit downstream FortiGate firewalls, view config files, take credentials and alter configurations. Because MSPs — Managed Service Providers — often use FortiManager, you can use this to enter internal networks downstream,” according to Beaumont in a DoublePulsar blog post.

In a separate analysis, Caitlin Condon with Rapid7 said “Rapid7 customers have… reported receiving communications from service providers indicating the vulnerability may have been exploited in their environments.”

Fortinet also released a list of Indicators of Compromise for FortiManager customers, and said that “at this stage, we have not received reports of any low-level system installations of malware or backdoors on these compromised FortiManager systems. To the best of our knowledge, there have been no indicators of modified databases, or connections and modifications to the managed devices.”

Vendor Response: Fortinet said that fixes are available for CVE-2024-47575. Customers with FortiManager versions 7.6, 7.4 through 7.4.4, 7.2 through 7.2.7, 7.0 through 7.0.12, 6.4 through 6.4.14 and 6.2 through 6.2.12, and FortiManager Cloud 7.4.1 through 7.4.4, 7.2.1 through 7.2.7, 7.0.1 through 7.0.12 and all versions of 6.4 should check the available upgrades in Fortinet’s security advisory. Several mitigations also exist, which can also be found in Fortinet’s advisory.

This article was updated on Oct. 24 to include new details on the exploitation activity timeline and victimology from Mandiant.