Critical Vulnerability in FortiManager: CVE-2024-47575

A critical vulnerability has been identified in the FortiManager fgfmd daemon, allowing remote unauthenticated attackers to execute arbitrary code or commands. The missing authentication vulnerability has been actively exploited in the wild, posing a severe risk to organizations using FortiManager and FortiAnalyzer models.

Threat alert
October 25, 2024

A critical vulnerability has been identified in the FortiManager fgfmd daemon, allowing remote unauthenticated attackers to execute arbitrary code or commands. The missing authentication vulnerability has been actively exploited in the wild, posing a severe risk to organizations using FortiManager and FortiAnalyzer models.

Mandiant is tracking a new threat cluster, UNC5820, that has been observed exploiting the vulnerability as early as June 2024. The group has exfiltrated detailed configuration information, as well as usernames and their FortiOS256-hashed passwords.

Affected and Mitigation Versions

Version Affected Solution FortiManager 7.6 7.6.0 Upgrade to 7.6.1 or above FortiManager 7.4 7.4.0 through 7.4.4 Upgrade to 7.4.5 or above FortiManager 7.2 7.2.0 through 7.2.7 Upgrade to 7.2.8 or above FortiManager 7.0 7.0.0 through 7.0.12 Upgrade to 7.0.13 or above FortiManager 6.4 6.4.0 through 6.4.14 Upgrade to 6.4.15 or above FortiManager 6.2 6.2.0 through 6.2.12 Upgrade to 6.2.13 or above FortiManager Cloud 7.6 Not affected Not Applicable FortiManager Cloud 7.4 7.4.1 through 7.4.4 Upgrade to 7.4.5 or above FortiManager Cloud 7.2 7.2.1 through 7.2.7 Upgrade to 7.2.8 or above FortiManager Cloud 7.0 7.0.1 through 7.0.12 Upgrade to 7.0.13 or above FortiManager Cloud 6.4 6.4 all versions Migrate to a fixed release

Older FortiAnalyzer models with the following configuration enabled are also at risk if at least one interface with the fgfm service is enabled:

“` config system global

set fmg-status enable

end“`  

Immediate Actions Required

  • Upgrade to a fixed versions or use workarounds that have been shared by the vendor depending on how the FortiManager version is running. The advisory can be found here.
  • Restrict Access to only permitted FortiGate addresses and limit access to FortiManager.

In the eventuality of compromise, we recommend restoring to a backup before the compromise occurs that has strong configurations. Reviews of the logs should be conducted before reverting. Additionally, all credentials should be changed.

Here at Socura, we’ve already begun running threat hunts on our customers’ environments with the appropriate blocking actions on IOCs. We are constantly monitoring the environment for malicious behavior as well as monitoring any updates from the vendor. Vendor advisory can be found here