Fortinet Warns of Actively Exploited Flaw in FortiManager: CVE-2024-47575 (CVSS 9.8)

by do son · Published October 23, 2024 · Updated November 15, 2024

Fortinet has issued a security advisory for its FortiManager platform, addressing a critical vulnerability—CVE-2024-47575—which has been actively exploited in the wild. This vulnerability, rated at CVSS 9.8, arises from a missing authentication flaw in the fgfmsd daemon, potentially allowing remote, unauthenticated attackers to execute arbitrary commands or code via specially crafted requests.

Fortinet explained that “a missing authentication for critical function vulnerability [CWE-306] in FortiManager fgfmd daemon may allow a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests.” Given the high severity, Fortinet has recommended immediate action to mitigate the risks associated with this flaw.

The vulnerability affects multiple versions of FortiManager, including:

FortiManager 7.6 (versions prior to 7.6.1)
FortiManager 7.4 (versions 7.4.0 through 7.4.4)
FortiManager 7.2 (versions 7.2.0 through 7.2.7)
FortiManager 7.0 (versions 7.0.0 through 7.0.12)
FortiManager 6.4 (versions 6.4.0 through 6.4.14)
FortiManager 6.2 (versions 6.2.0 through 6.2.12)

FortiManager Cloud versions are also impacted, and users are advised to upgrade to fixed releases as outlined in the advisory.

Fortinet has confirmed that CVE-2024-47575 has been actively exploited, making it crucial for organizations to act swiftly. “Reports have shown this vulnerability to be exploited in the wild,” the company noted, highlighting the urgency of applying the provided patches.

In addition to updating to the latest versions, Fortinet has offered several workarounds for those unable to immediately upgrade. For example, users can enable the fgfm-deny-unknown setting to prevent unknown devices from attempting to register with FortiManager:

config system global
set fgfm-deny-unknown enable
end

However, Fortinet warns that enabling this setting could block legitimate FortiGate devices from connecting if they are not listed in the device list.

For versions 7.2.0 and above, users can also apply local-in policies to whitelist specific IP addresses that are allowed to connect to FortiManager, providing an additional layer of security.

Fortinet has provided a list of possible indicators of compromise, which include log entries and specific IP addresses associated with malicious activity. The advisory advises users to review event logs for any suspicious behavior, such as unregistered devices being added or modified device settings.

IP addresses to watch for include:

45.32.41.202
104.238.141.143
158.247.199.37
45.32.63.2

For organizations that have already been compromised, Fortinet suggests two recovery methods:

Recommended Recovery Action: Install a fresh FortiManager VM or reinitialize the hardware model, then add or discover devices, or restore a backup taken before the detection of the indicators of compromise (IoCs).
Alternative Recovery Action: Manually verify the accuracy of the current FortiManager configuration, restore components from the compromised FortiManager, and rebuild the database if needed.