How is CVE-2024-47575 being exploited?

Attackers exploit CVE-2024-47575 by extracting a valid certificate from any compromised Fortinet device, such as FortiManager VM. They create unregistered devices labeled as 'localhost' and issue API commands to gain further access, stealing IP addresses, credentials, and configurations of managed devices.

Which versions of FortiManager are affected by CVE-2024-47575?

Affected versions include FortiManager 6.2.0 to 6.2.12, 6.4.0 to 6.4.14, 7.0.0 to 7.0.12, 7.2.0 to 7.2.7, 7.4.0 to 7.4.4, 7.6.0, and FortiManager Cloud 6.4, 7.0, 7.2, and 7.4.

What are the first patched versions for CVE-2024-47575?

The vulnerability is patched in FortiManager 6.2.13, 6.4.15, 7.0.13, 7.2.8, 7.4.5, and 7.6.1, as well as in FortiManager Cloud 7.2.8, 7.4.5, and 7.6.1.

What are the recommended workarounds for CVE-2024-47575?

Recommended workarounds include using the 'set fgfm-deny-unknown enable' command to block devices with unknown serial numbers from registering, creating a custom SSL certificate for tunnels between FortiGate and FortiManager, and implementing IP allowlists to restrict access to trusted devices only.

What actions should users take to mitigate CVE-2024-47575?

Users should immediately upgrade to the latest patched versions of FortiManager. Additionally, they should implement the suggested workarounds to enhance security and prevent exploitation until the patch is applied.

Attack

Fortinet warns of active exploitation of FortiManager flaw

Q: What is CVE-2024-47575 in FortiManager?

CVE-2024-47575 is a critical vulnerability in FortiManager (CVSS score 9.8) caused by missing authentication for a critical function. It allows remote, unauthenticated attackers to execute arbitrary code or commands by sending specially crafted requests. The vulnerability has been exploited in the wild to extract sensitive files, such as configurations, IP addresses, and credentials of managed devices.

published: Oct. 23, 2024

Take action: If you are running Fortinet FortiManager, review the advisory and the mitigating measures. Some may be impossible or not feasible, so ideally start patching ASAP. This is an active hacking campaign, don't delay.

Learn More

Fortinet is reporting that the privately reported flaw in FortiManager, tracked as CVE-2024-47575 (CVSS score 9.8), is being exploited in the wild.

The flaw is a missing authentication for critical function that enables remote, unauthenticated attackers to execute arbitrary code or commands by sending specially crafted requests to FortiManager. Attackers leverage this vulnerability to extract sensitive files containing configurations, IP addresses, and credentials for managed devices. This can lead to further attacks on managed FortiGate devices, compromising network security.

Exploiting this flaw requires attackers to extract a valid certificate from any compromised Fortinet device, such as FortiManager VM.

Attackers created unregistered devices labeled “localhost” and issued API commands to gain further access. Stolen data includes IP addresses, credentials, and configurations of managed devices. Rogue FortiGate devices used serial numbers resembling FortiGate-VM virtual machines.

IP addresses associated with attacks were traced to cloud hosting company Vultr.

Affected Versions:

FortiManager versions: 6.2.0 to 6.2.12, 6.4.0 to 6.4.14, 7.0.0 to 7.0.12, 7.2.0 to 7.2.7, 7.4.0 to 7.4.4, 7.6.0, and FortiManager Cloud 6.4, 7.0, 7.2, 7.4.

First Patched Versions:

FortiManager 6.2.13, 6.4.15, 7.0.13, 7.2.8, 7.4.5, and 7.6.1.
FortiManager Cloud 7.2.8, 7.4.5, and 7.6.1.

Fortinet urges users to upgrade to the latest patched versions to mitigate this critical vulnerability.

Alternative Workarounds:

Use the set fgfm-deny-unknown enable command to prevent devices with unknown serial numbers from registering with FortiManager.
Create a custom SSL certificate for establishing tunnels between FortiGate and FortiManager.
Implement IP allowlists to restrict access to trusted devices only.

Update - Mandiant reports that over 50 Fortinet FortiManager appliances were compromised by threat actor UNC5820 exploiting the zero-day vulnerability since late June 2024. The attacks led to the exfiltration of configuration data, user information, and FortiOS256-hashed credentials from impacted FortiGate devices

Fortinet warns of active exploitation of FortiManager flaw

Read More
XSS vulnerability in Zimbra collaboration suite under active …
FCX routers vulnerable to actively exploited flaw by …
Critical vulnerability in ScienceLogic SL1 exploited - at …
Critical OttoKit WordPress Plugin vulnerability patched after active …
CISA warns of critical Oracle flaw actively exploited