Security researcher Sina Kheirkhah from watchTowr recently published technical details and a PoC exploit for a critical zero-day vulnerability in critical flaw in FortiManager and FortiAnalyzer devices, that allows remote, unauthenticated attackers to execute arbitrary code or commands by exploiting a missing authentication mechanism in the FGFM protocol.
The vulnerability dubbed as FortiJump and tracked as CVE-2024-47575 with a CVSS score of 9.8 is actively being exploited in the wild, with attacks reportedly beginning as early as June 2024 that prompted US CISA to add this bug to its Known Exploited Vulnerabilities (KEV) catalog, urging immediate action.
As per the Fortinet statement, the identified actions of this attack in the wild attributed to UNC5820 have been to automate via a script the exfiltration of various files from the FortiManager which contained the IPs, credentials and configurations of the managed devices.
Until now about 50 FortiManager devices across various industries have been identified as potentially compromised. The exploitation campaigns date back to June 27, 2024, underscoring the widespread impact.
The vulnerability affects various versions of FortiManager, including 7.x, 6.x, FortiManager Cloud 7.x, and 6.x. It also impacts older FortiAnalyzer models with specific configurations.
Fortinet has provided workarounds tailored to different versions of FortiManager:
- FortiManager versions 7.0.12 or above, 7.2.5 or above, 7.4.3 or above to prevent unknown devices from attempting to register.
- FortiManager versions 7.2.0 and above and add local-in policies to allow-list specific IP addresses.
- FortiManager versions 7.2.2 and above, 7.4.0 and above, 7.6.0 and above to use a custom certificate for secure connections.
Organizations using FortiManager are strongly urged to apply the available workarounds or upgrade to patched versions immediately to protect their networks from this critical threat.
For more details on exploits refer to the Github
