Fortinet's critical FortiManager API vulnerability, identified as CVE-2024-47575, was publicly disclosed today, but not before hackers exploited it in zero-day attacks, many users have been privately notified by Fortinet with a temporary mitigation solution.
Kevin Beaumont, a cybersecurity researcher, named the flaw “FortiJump” because it allows unauthorized access to sensitive data such as configurations, IP addresses, and credentials for managed devices.
Despite the company's quiet efforts to address the issue since October 13, news of the vulnerability spread online this week, sparked by Reddit discussions and Beaumont's warning on Mastodon.
The vulnerability currently affects FortiManager versions 7.2.8 and 7.4.5, with additional updates promised in the coming days. Fortinet created the FortiGate to FortiManager Protocol (FGFM) to make it easier to manage FortiGate firewalls.
The protocol establishes a secure SSL tunnel between the FortiGate and FortiManager servers. However, the CVE-2024-47575 vulnerability circumvents an additional layer of authentication required to execute commands via the API.
This flaw allows attackers to gain complete control of FortiManager and its connected devices, compromising entire networks.
“The vulnerability allows threat actors to bypass the authentication required to execute commands on the FortiManager server, gaining access to managed devices and potentially the entire corporate network,” said Beaumont, adding that the flaw is particularly dangerous for Managed Service Providers (MSPs).
“Once inside, attackers can move from firewall to firewall, exploiting other vulnerabilities,” according to him.
Fortinet has released guidelines to help administrators mitigate the attack, particularly those who are unable to update their software right away.
Customers can use the “fgfm-deny-unknown” command to prevent unauthorized devices from registering with FortiManager, issue custom SSL certificates, and create an allowed list of trusted IP addresses for device connections.
However, Fortinet warns that if a malicious actor obtains the certificate, they may still exploit the system.
The exploitation of this zero-day vulnerability has already resulted in data breaches, with Fortinet confirming that attackers stole files containing IP addresses, credentials, and configuration information.
These files, which are stored on the FortiManager server, allow hackers to infiltrate other areas of the network.
Fortinet's disclosure has been criticized for the delay in publicly acknowledging the vulnerability. Beaumont criticized the company's handling of the situation, noting that the flaw had been exploited long before Fortinet privately alerted customers.
“It's been in the wild for weeks,” he stated. There are currently nearly 60,000 FortiManager instances on the internet, with more than 13,000 in the United States.
According to Fortinet's advisory, the vulnerability is rated 9.8 out of 10 for severity. Customers have been reassured that the compromised systems show no signs of malware installation or database modification.
However, it is clear that attackers are primarily interested in extracting data from FortiManager, which could pave the way for larger, more damaging attacks in the future.
The Cybersecurity and Infrastructure Security Agency (CISA) also responded, urging federal civilian agencies to patch their systems by November 13.
Though ransomware groups have yet to be confirmed as exploiting this vulnerability, Beaumont believes nation-state actors are already taking advantage of it.
Beaumont reported that hackers were using a combination of older Fortinet vulnerabilities, including CVE-2024-23113, as entry points before exploiting the newly discovered CVE-2024-47575 for full access.
CISA had previously warned of the earlier vulnerability in October, giving federal agencies until October 30 to patch their systems.
Following the disclosure, cybersecurity firm Mandiant has assisted Fortinet with its investigation. Mandiant has identified a new threat group, UNC5820, that is exploiting the FortiManager vulnerability.
This group has been active since at least June 2024, staging and exfiltrating Fortinet configuration data across multiple industries.