A critical vulnerability in Fortinet’s FortiManager, identified as CVE-2024-47575, has exposed organizations to widespread exploitation, allowing attackers to steal sensitive configuration data and access managed networks.
The flaw, which Fortinet officially disclosed on October 23, enables unauthorized users to bypass authentication and execute arbitrary code, leaving thousands of devices at risk. Cybersecurity researchers and Fortinet’s customers had reported ongoing exploitation of the vulnerability weeks before its public disclosure, underscoring the severity of the situation.
FortiManager Flaw: A Key Target for Exploitation
The vulnerability in FortiManager, a tool used to manage FortiGate firewalls across enterprises and Managed Service Providers (MSPs), allows attackers to exploit the FortiGate to FortiManager (FGFM) protocol. This flaw permits an attacker with a valid certificate to establish an SSL tunnel between a compromised FortiGate device and the FortiManager server, granting access to manage and control network devices remotely.
The flaw impacts versions of FortiManager from 7.0.0 to 7.6.0 and was ranked with a critical severity score of 9.8 out of 10. Fortinet issued private warnings to affected customers as early as October 13, advising them to apply mitigations while the company worked on releasing security patches.
However, public awareness of the exploit began spreading through cybersecurity circles when researcher Kevin Beaumont shared details on Medium, coining the name “FortiJump” for the exploit. Beaumont’s research and leaked customer reports indicated that the vulnerability had been actively exploited long before Fortinet’s private disclosures.
🚨 Breaking: A zero-day vulnerability (CVE-2024-47575) has been observed impacting Fortinet FortiManager devices, posing serious risks. Learn how the exploit works, and how to defend against the threat.
Read more -> https://t.co/tGag4Okvvd#ThreatIntelligence pic.twitter.com/csSli2nh1b
— Mandiant (part of Google Cloud) (@Mandiant) October 24, 2024
Exploitation Dates Back to June 2024
According to a report released by Google Cloud Threat Intelligence on October 24, the first signs of active exploitation were detected on June 27, 2024, when multiple FortiManager devices received unauthorized inbound connections. Attackers used IP addresses traced back to cloud hosting provider Vultr, staging compressed archives containing configuration data from managed FortiGate firewalls.
The stolen data included detailed configuration settings, user credentials, and IP addresses that could be used to infiltrate corporate networks. A second exploitation attempt occurred on September 23, 2024, confirming the ongoing and persistent threat.
Attackers were able to register rogue FortiGate devices with compromised FortiManager systems. Once connected, these rogue devices granted full access to network management settings, enabling attackers to issue commands and potentially traverse internal networks.
Despite this extensive access, no malware installations or low-level system modifications were detected on the compromised FortiManager devices. Beaumont believes that Mandiant and Fortinet have not uncovered the full scale of the problem and there is more to come from the vulnerability.
Fortinet’s Patch and Mitigation Response
In response to the ongoing exploitation, Fortinet released patches for FortiManager versions 7.2.8 and 7.4.5 on October 23, with further updates planned for older versions. Fortinet’s advisory urged users to update their systems immediately or implement temporary mitigations if updates couldn’t be applied.
These mitigations include restricting connections to FortiManager to known IP addresses, denying registration of unknown FortiGate devices, and using custom SSL certificates to secure the FGFM protocol. Despite these efforts, Fortinet’s customers expressed frustration over the handling of the vulnerability. Some reported that they had not received advance notification, and many first learned about the exploit through social media or leaked reports.
This is not the first time Fortinet has been criticized for its communication strategy. A similar situation occurred in December 2022, when the company quietly patched a critical FortiOS SSL-VPN vulnerability (CVE-2022-42475) without public acknowledgment of its active exploitation.
Impact on Managed Service Providers
MSPs, which often manage multiple client networks using FortiManager, have been a primary target of the exploit. Attackers leveraging this vulnerability could gain access to both the MSP’s internal network and the networks of their downstream clients. Beaumont highlighted the critical nature of this attack vector, noting that compromised FortiGate firewalls could be used to pivot through the FGFM protocol, potentially exposing vast corporate infrastructures.
The exposure is compounded by the default settings of the FGFM protocol, which allows FortiManager systems to accept connections from unknown devices without additional checks. Attackers need only obtain a certificate from any FortiGate device, making it relatively easy to exploit vulnerable systems.
Last Updated on November 7, 2024 2:22 pm CET
