Description
A critical vulnerability has been identified in the fgfmd daemon component of Fortinet’s FortiManager. This missing authentication vulnerability (CVE-2024-47575) allows remote attackers to execute arbitrary code or commands via specially crafted requests.
Affected Product(s)
FortiManager:
- 2.0 through 6.2.12
- 4.0 through 6.4.14
- 0.0 through 7.0.12
- 2.0 through 7.2.7
- 4.0 through 7.4.4
- 6.0
- FortiManager Cloud 6.4.1 through 6.4.7
- FortiManager Cloud 7.0.1 through 7.0.13
- FortiManager Cloud 7.2.1 through 7.2.7
- FortiManager Cloud 7.4.1 through 7.4.4
Technical Details
This vulnerability, tracked as CVE-2024-47575, is found within the fgfmd daemon of FortiManager—a centralized management platform designed to manage Fortinet devices, such as the FortiGate, FortiAP, and FortiSwitch. The vulnerability arises from missing authentication controls on critical functions.
An unauthenticated remote attacker can exploit this flaw by sending specially crafted requests to the vulnerable fgfmd daemon, allowing for arbitrary code or command execution. Specific versions of FortiManager are susceptible to this flaw. The vulnerable range includes versions from 6.2.0 through 6.2.12, 6.4.0 through 6.4.14, 7.0.0 through 7.0.12, 7.2.0 through 7.2.7, and more recent versions including 7.4.0 through 7.4.4 and 7.6.0. The vulnerability is also present in FortiManager Cloud versions corresponding to these versions.
This issue primarily stems from the lack of proper authentication mechanisms in accessing certain functions of the fgfmd daemon—a critical component responsible for various management tasks within FortiManager. As detailed in multiple security bulletins and advisories, including those from CERT NZ and the National Vulnerability Database, this vulnerability is rated as critical, with a CVSSv3 score of 9.8 and a CVSSv2 score of 10.0 due to its severe impact.
This high severity is attributed to the ease with which unauthenticated attackers can exploit the weakness to compromise systems managed by FortiManager. Additionally, the presence of this vulnerability has been confirmed through sources like NIST’s National Vulnerability Database and others that indicate active exploitation in the wild.
The threat actor group UNC5820 has been linked to campaigns exploiting this vulnerability, as they have targeted FortiManager in zero-day attacks. Reports and analyses suggest that since June 2024, this exploit has been actively used, indicating a well-organized and potentially state-sponsored effort to exploit FortiManager users worldwide. Known attack scenarios involve the use of crafted packets aimed at circumventing authentication checks, thus providing attackers with the ability to execute arbitrary commands on the server.
The absence of authentication flaws like these, categorized under CWE-306 (Missing Authentication for Critical Function), highlights a significant oversight in the security design of affected FortiManager components. Organizations relying on FortiManager are highly advised to review their exposure to this vulnerability and apply necessary patches promptly to mitigate the risk of exploitation.
Weakness
The primary weakness associated with this vulnerability is classified under CWE-306, which pertains to missing authentication for a critical function. This specific weakness allows attackers to remotely access and execute unauthorized commands without requiring any prior authentication, thereby compromising the system’s integrity and security.
Impact Assessment
If exploited, this vulnerability could allow an attacker to gain unauthorized access to sensitive data or execute arbitrary code on the affected system. This could lead to substantial data breaches, unauthorized data manipulation, and potential system control by malicious entities, severely impacting affected organizations’ operational capabilities and confidentiality.
Active Exploitation
We have observed activity from the adversary group UNC5820, which is known for targeting similar vulnerabilities in the past. This group has been identified as exploiting the CVE-2024-47575 vulnerability in FortiManager for executing global cyberattacks, leveraging the missing authentication loophole to compromise systems.
Ransomware Association
The vulnerability has been linked to ransomware attacks, specifically targeting entities using FortiManager by exploiting this vulnerability to gain initial access to the system. While explicit ransomware strains have not been identified in this context, the potential for such exploitation exists, given the critical access level the vulnerability provides.
Mitigation and Resolution
We have released patches addressing this vulnerability. Please update to the following versions immediately:
- FortiManager 6.2.13
- FortiManager 6.4.15
- FortiManager 7.0.13
- FortiManager 7.2.8
- FortiManager 7.4.5
- FortiManager 7.6.1
It is crucial for users running vulnerable versions to apply these updates to mitigate the security risks.
Recommendations
- We strongly recommend that all customers apply the latest patch as soon as possible.
- Verify the version of FortiManager using version detection tools to ensure you are running a secure version.
- Disable unnecessary services and features in FortiManager to minimize potential exposure.
- Employ intrusion detection and prevention systems to monitor and block malicious attempts that exploit this vulnerability.
- Regularly back up configurations and data to ensure recovery in case of an incident.
References
- CERT NZ – Zero Day Vulnerability Affecting FortiManager
- Zero Day Database
- CVE MITRE Details
- Fortijump Flaw Exploited Since June 2024
- National Vulnerability Database
- Missing Authentication in fgfmsd
- Missing Authentication in fgfmsd