Warning! FortiManager critical vulnerability under active attack

Fortinet has gone public with news of a critical flaw in its software management platform.

The security vendor apparently began informing customers privately about the issue a few days ago but has since opened up about the issue in its FortiManager control software. The vulnerability, CVE-2024-47575, has a CVSS score of 9.8 and would allow a remote attacker to run code on unpatched systems – and, given the application's management tools, possibly spread further over a network.

"A missing authentication for critical function vulnerability [CWE-306] in FortiManager fgfmd daemon may allow a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests," states Fortinet’s advisory, which adds the words no user wants to read: "Reports have shown this vulnerability to be exploited in the wild."

In order to use the flaw, an attacker would need to have a valid Fortinet device certificate, Rob King, director of security research at flaw finding firm runZero explained. But that could be taken from a legitimate box and reused, and would allow the intruder to log into the management software without proper checks.

On Wednesday, CISA confirmed the bug was under active exploitation and added it to its Known Exploited Vulnerabilities Catalog – meaning Federal IT admins are on notice to fix this fast. CISA wants the rest of us to do likewise.

Security maven Kevin Beaumont has been warning about the issue, which he dubbed FortiJump, for days now. He estimates that at least 60,000 users are exposed.

"I'm not confident that Fortinet's narrative that they're protecting customers by not publicly disclosing a vulnerability is protecting customers," he opined.

"This vulnerability has been under widespread exploitation for a while. It doesn't protect anybody by not being transparent … except maybe themselves, and any governments that don't want to be embarrassed."

Fortinet recommends that users of FortiManager 7.6 and below – and its cloud equivalent – update their software immediately. It has also issued a list of indications of compromise that admins should be on guard for, as well as four IP addresses known to be malicious: 45.32.41.202, 104.238.141.143, 158.247.199.37, and 45.32.63.2.

"The identified actions of this attack in the wild have been to automate via a script the exfiltration of various files from the FortiManager which contained the IPs, credentials and configurations of the managed devices," the vendor explained.

"At this stage, we have not received reports of any low-level system installations of malware or backdoors on these compromised FortiManager systems. To the best of our knowledge, there have been no indicators of modified databases, or connections and modifications to the managed devices."

Fortinet has had a tough month. Last week CISA issued an alert about another CVSS 9.8 critical bug, CVE-2024-23113. Although it was patched in February people were tardy and even now an estimated 86,000 users remain at risk. ®