Short Summary:
On October 23, 2024, Fortinet disclosed a critical zero-day vulnerability (CVE-2024-47575) in their FortiManager solution, allowing remote unauthenticated attackers to execute arbitrary code. The vulnerability has a CVSS score of 9.8 and is reportedly being exploited in the wild. Mitigation guidance is provided for affected versions, and customers are urged to update immediately.
Key Points:
- Fortinet published an advisory on CVE-2024-47575 on October 23, 2024.
- The vulnerability affects FortiManager due to missing authentication for a critical function.
- It allows remote unauthenticated attackers to execute arbitrary code or commands.
- The CVSS v3 score for this vulnerability is 9.8.
- Reportedly exploited in the wild, with indications of automated file exfiltration.
- Vulnerable versions include FortiManager 6.2.0 through 7.6.0 and various cloud versions.
- Fortinet recommends immediate updates to fixed versions or applying available workarounds.
- Indicators of compromise (IOCs) are provided in the advisory for customer review.
- Rapid7 customers can assess exposure to this vulnerability through their tools.
MITRE ATT&CK TTPs – created by AI
- Execution (T1203)
- Exploitation of vulnerabilities to execute arbitrary code.
- Exfiltration (T1041)
- Automated scripts used for file exfiltration containing sensitive information.
- Credential Dumping (T1003)
- Accessing and exfiltrating credentials from compromised systems.
On Wednesday, October 23, 2024, security company Fortinet published an advisory on CVE-2024-47575, a critical zero-day vulnerability affecting their FortiManager network management solution. The vulnerability arises from a missing authentication for a critical function [CWE-306] in the FortiManager fgfmd daemon that allows a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests. The vulnerability carries a CVSS v3 score of 9.8.
Fortinet’s advisory notes that CVE-2024-47575 has been “reported” as exploited in the wild. Rapid7 customers have also reported receiving communications from service providers indicating the vulnerability may have been exploited in their environments. According to the vendor, “The identified actions of this attack in the wild have been to automate via a script the exfiltration of various files from the FortiManager which contained the IPs, credentials and configurations of the managed devices.” Rapid7 strongly recommends reviewing the vendor advisory for indicators of compromise and mitigation strategies.
Background
Since roughly October 13, there have been private industry discussions and a number of public posts on Reddit, Twitter, and Mastodon about a rumored zero-day vulnerability in FortiManager. Public Reddit conversations indicated that Fortinet contacted some of their customers by email circa October 15 to “privately disclose” a FortiManager vulnerability and advise on mitigations. Despite embargoed communications and the publication of several news articles, neither a public advisory nor a CVE was issued until October 23.
On the evening of October 22, high-profile cybersecurity researcher Kevin Beaumont published a blog alleging that a state-sponsored adversary has been using this FortiManager zero-day vulnerability in espionage attacks. While Fortinet’s advisory doesn’t include any information about specific adversaries exploiting the vulnerability, Fortinet devices have long been popular targets for state-sponsored threat actors.
Mitigation guidance
Per Fortinet’s advisory, the following versions of FortiManager are vulnerable to CVE-2024-47575 and have mitigation guidance available:
- FortiManager 7.6.0
- FortiManager 7.4.0 through 7.4.4
- FortiManager 7.2.0 through 7.2.7
- FortiManager 7.0.0 through 7.0.12
- FortiManager 6.4.0 through 6.4.14
- FortiManager 6.2.0 through 6.2.12
- FortiManager Cloud 7.4.1 through 7.4.4
- FortiManager Cloud 7.2 (all versions)
- FortiManager Cloud 7.0 (all versions)
- FortiManager Cloud 6.4 (all versions)
The advisory indicates FortiManager Cloud 7.6 is not affected.
FortiManager customers should update to a supported, fixed version on an emergency basis, without waiting for a regular patch cycle to occur. See the vendor advisory for the latest list of fixed versions. A workaround is also available for some versions.
Fortinet’s advisory also includes a list of indicators of compromise (IOCs) that FortiManager customers should look for in their environments.
Rapid7 customers
InsightVM and Nexpose customers will be able to assess their exposure to CVE-2024-47575 with an authenticated check for FortiManager expected to be available in the Wednesday, October 23 content release.
Source: Original Post