Warning! FortiManager critical vulnerability under active attack

Warning! FortiManager critical vulnerability under active attack

October 23, 2024 at 06:56PM

Fortinet disclosed a critical flaw (CVE-2024-47575) in its FortiManager software, allowing remote attackers to execute arbitrary code. With a CVSS score of 9.8, it’s actively exploited. Users are urged to update their software immediately. CISA added it to its Known Exploited Vulnerabilities Catalog, warning of significant user exposure.

**Meeting Notes Takeaways: Case of Fortinet’s Critical Vulnerability**

1. **Critical Vulnerability Announced**: Fortinet has publicly disclosed a critical flaw in its FortiManager control software, identified as CVE-2024-47575, with a CVSS score of 9.8.

2. **Nature of the Vulnerability**: A missing authentication vulnerability (CWE-306) in the FortiManager fgfmd daemon could allow remote unauthenticated attackers to execute arbitrary code through specially crafted requests.

3. **Potential Impact**: The flaw may enable code execution on unpatched systems and could potentially spread throughout a network.

4. **Active Exploitation**: CISA has confirmed that this vulnerability is under active exploitation and has added it to the Known Exploited Vulnerabilities Catalog. Federal IT administrators are urged to address this issue immediately.

5. **Security Concerns**: Security expert Kevin Beaumont indicated that around 60,000 users might be exposed to this vulnerability. He expressed skepticism about Fortinet’s approach to privately informing customers instead of publicly disclosing the flaw.

6. **Immediate Action Recommended**: Fortinet advises users of FortiManager 7.6 and below—also the cloud equivalent—to update their software without delay.

7. **Indications of Compromise**: Fortinet provided a list of indications of compromise for admins to monitor, as well as four identified malicious IP addresses linked to the exploitation: 45.32.41.202, 104.238.141.143, 158.247.199.37, and 45.32.63.2.

8. **Actions of Attackers**: Reported malicious activity includes automated scripts being used to exfiltrate files from compromised FortiManager systems, containing sensitive IPs, credentials, and configurations.

9. **No Malware Installed**: Fortinet reports no evidence of low-level malware or backdoors installed on compromised systems and no indicators of altered databases or modifications to managed devices.

10. **Previous Vulnerabilities**: Fortinet recently faced another critical vulnerability (CVE-2024-23113) that, despite being patched in February, still leaves an estimated 86,000 users at risk.

**Action Items**:
– Urge all Fortinet users to update to the latest software version.
– Monitor for indications of compromise and malicious IP addresses.
– Prepare internal teams to address potential security concerns stemming from both vulnerabilities.

Full Article