On October 23, 2024, Fortinet released an advisory regarding a critical zero-day vulnerability, CVE-2024-47575, affecting their FortiManager network management solution. This vulnerability, resulting from missing authentication for a critical function, allows remote attackers to execute arbitrary code or commands. The flaw has been actively exploited in the wild, prompting urgent mitigation measures.

Understanding CVE-2024-47575

CVE-2024-47575 is a severe vulnerability in the FortiManager fgfmd daemon, characterized by a lack of authentication for a crucial function. This flaw enables unauthenticated attackers to send specially crafted requests, potentially leading to remote code execution. With a CVSS v3 score of 9.8, the vulnerability poses a significant risk to affected systems.

Technical Analysis

A comprehensive technical analysis of CVE-2024-47575 is available on AttackerKB, detailing aspects such as firmware decryption, protocol analysis, and the potential for unauthenticated remote code execution. Fortinet's advisory confirms that the vulnerability has been exploited in the wild, with reports from Rapid7 customers indicating possible exploitation within their environments.

  • Exploitation: Attackers have automated the exfiltration of files from FortiManager, targeting IPs, credentials, and configurations of managed devices.
  • Mitigation: Fortinet advises reviewing their advisory for indicators of compromise and implementing recommended mitigation strategies.

Updates and Industry Response

As of October 31, Fortinet's advisory has been updated with additional indicators of compromise (IOCs) and workaround information. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a bulletin alerting Fortinet customers to these updates. Notably, CVE-2024-47575 was added to the Known Exploited Vulnerabilities (KEV) list on October 23.

Background and Discovery

Discussions about a potential zero-day vulnerability in FortiManager began around October 13, with private industry chatter and public posts on platforms like Reddit and Twitter. Fortinet privately disclosed the vulnerability to some customers by October 15, but a public advisory and CVE were not issued until October 23. Reports suggest that state-sponsored adversaries have exploited this vulnerability for espionage purposes.

Mitigation Guidance

Fortinet's advisory lists several FortiManager versions vulnerable to CVE-2024-47575, including:

  • FortiManager 7.6.0
  • FortiManager 7.4.0 through 7.4.4
  • FortiManager 7.2.0 through 7.2.7
  • FortiManager 7.0.0 through 7.0.12
  • FortiManager 6.4.0 through 6.4.14
  • FortiManager 6.2.0 through 6.2.12
  • FortiManager Cloud 7.4.1 through 7.4.4
  • FortiManager Cloud 7.2 (all versions)
  • FortiManager Cloud 7.0 (all versions)
  • FortiManager Cloud 6.4 (all versions)

Customers are urged to update to a supported, fixed version immediately, bypassing regular patch cycles. Fortinet's advisory provides a list of fixed versions and available workarounds for some versions.

The link has been copied!