Critical FortiManager 0-day under active exploitation (CVE-2024-47575)
mnemonic's Incident Response Team have responded to incidents and can confirm active exploitation of a now disclosed FortiManager 0-day. The first confirmed exploitation dates back to September 22nd.
On October 13th, mnemonic received reports that an undisclosed and critical vulnerability in Fortinet FortiManager had been identified. The vulnerability poses a significant risk to organisations using FortiManager to manage Fortinet devices.
On October 23, Fortinet disclosed the vulnerability in their advisory FG-IR-24-423 and assigned CVE-2024-47575 with a CVSSv3 rating of 9.8 (critical).
mnemonic have responded to an incident with the first known exploitation occurring on September 22nd. CISA have now added the vulnerability to their Known Exploited Vulnerabilities Catalog.
The vulnerability is reported publicly to be present in the FortiGate to FortiManager (FGFM) protocol. FortiManager defaults to allowing any device to register and become a managed device. The only requirement to this appears to be the need for a valid certificate, however this requirement is trivial to bypass, as a certificate can be extracted from any FortiGate box or VM to be abused in this manner. Once the threat actor has registered a rogue FortiGate with FortiManager, the vulnerability allows remote code execution on the FortiManager. Once access to FortiManager is achieved the threat actor has free reign over downstream devices.
Threat Intelligence assessment
The vulnerability presents a significant risk to organisations due to the potential for remote code execution and the ease of exploitation. Successful exploitation of this vulnerability could allow threat actors to gain unauthorised access to FortiGate firewalls and internal networks, which could further lead to compromised data and altered configuration files. There is no Proof of Concept (PoC) available for this vulnerability, but is expected to be publicly available in the coming days.
mnemonic's Incident Response Team have responded to an incident where this vulnerability was the initial access vector. mnemonic is also aware of successful compromises of organisations in Norway and BeNeLux via the vulnerability.
It is likely that the threat actor performed an Internet wide scan and exploitation as part of a reconnaissance phase. mnemonic TI assess that it is likely that the threat actor select high value targets based on this reconnaissance activity for further operations. While activity has been attributed to China-linked threat actors in open sources, mnemonic TI have not verified this as of the publishing of this advisory.
Affected systems
Fortinet reports the following systems are affected:
| Version | Affected | Fix |
| FortiManager 7.6 | 7.6.0 | Upgrade to 7.6.1 or above |
| FortiManager 7.4 | 7.4.0 through 7.4.4 | Upgrade to 7.4.5 or above |
| FortiManager 7.2 | 7.2.0 through 7.2.7 | Upgrade to 7.2.8 or above |
| FortiManager 7.0 | 7.0.0 through 7.0.12 | Upgrade to 7.0.13 or above |
| FortiManager 6.4 | 6.4.0 through 6.4.14 | Upgrade to 6.4.15 or above |
| FortiManager 6.2 | 6.2.0 through 6.2.12 | Upgrade to 6.2.13 or above |
| FortiManager Cloud 7.6 | Not affected | Not Applicable |
| FortiManager Cloud 7.4 | 7.4.1 through 7.4.4 | Upgrade to 7.4.5 or above |
| FortiManager Cloud 7.2 | 7.2.1 through 7.2.7 | Upgrade to 7.2.8 or above |
| FortiManager Cloud 7.0 | 7.0.1 through 7.0.12 | Upgrade to 7.0.13 or above |
| FortiManager Cloud 6.4 | 6.4 all versions | Migrate to a fixed release |
In addition, old FortiAnalyzer models 1000E, 1000F, 2000E, 3000E, 3000F, 3000G, 3500E, 3500F, 3500G, 3700F, 3700G, 3900E may be affected.
Recommendations
To mitigate the risks associated with the vulnerability, organisations are advised to take the following actions:
- Apply the latest security patches provided by Fortinet to vulnerable FortiManager devices
- Do not expose port TCP/541 and TCP/542 on the FortiManager to the Internet.
- Monitor network traffic and internal networks for abnormal behaviour or unknown devices.
- Implement audit logging on the FortiManager.
- Perform retrospective analysis of FortiManager audit logs and access logs (June as minimum).
- Consider contacting your point of contact in Fortinet for further mitigations and information.
Workarounds
If security patches cannot be applied, Fortinet has published several workarounds depending on the version. See Fortinet's advisory for detailed instructions.
- Option 1: Enable the 'fgfm-deny-unknown' configuration to deny devices with unknown serial numbers to register as an unauthorised device.
Applicable versions: FortiManager 7.0.12 or above, 7.2.5 or above, 7.4.3 or above (but not 7.6.0) 77.0.12 or above, 7.2.5 or above, 7.4.3 or above (but not 7.6.0).0.12 or above, 7.2.5 or above, 7.4.3 or above (but not 7.6.0) - Option 2: Add local-in policies to whitelist the IP addresses of FortiGates that are allowed to connect.
Applicable versions: FortiManager 7.2.0 and above - Option 3: Use a custom certificate installed on FortiGates.
Applicable versions: FortiManager 7.2.2 and above, 7.4.0 and above, 7.6.0 and above