Securonix Threat Research Security Advisory
Details and Guidance on New “FortiJump”
Vulnerability or CVE-2024-47575
Securonix Threat Research: Den Iuzvyk, Tim Peck
Detection Engineering: Abhishek Narasimhan
Last week, a critical vulnerability was identified affecting FortiManager deployments. The vulnerability was first identified being exploited in the wild by UNC5820 by a collaboration between Fortinet and Mandiant, leveraging it in attacks as early as June 27, 2024.
Fortinet released a patch for the vulnerability, designated CVE-2024-47575 on October 23, 2024, following private notifications to affected customers earlier in October. This patch addresses the critical vulnerability in both FortiManager and FortiManager Cloud versions. The vulnerability is tracked as CRITICAL and carries a CVSS score of 9.8:
Figure 1: CVE details – source tenable
Vulnerability details and scope
On , tracked as CVE-2024-47575 or “FortiJump”, according to Mandiant, organizations that may have their FortiManager exposed to the internet should conduct a forensic investigation immediately.
At the time of publication, there are still over 59,000 devices still exposed being tracked by shodan, a reduction of only about a thousand reported Wednesday of last week by SOC Radar.
Figure 3: Exposed devices: Source shodan.io
Exploitation overview
The vulnerability CVE-2024-47575, also known as “FortiJump,” is a critical flaw in FortiManager that allows remote, unauthenticated attackers to execute arbitrary commands on the affected systems. This exploit stems from a missing authentication check in the FortiGate-FortiManager communication protocol (FGFM), specifically in the fgfmsd daemon, which handles communication between FortiManager and FortiGate devices. Without proper authentication mechanisms in place, this flaw allows an attacker to remotely interact with the FortiManager server by sending specially crafted requests which ends up bypassing typical user verification procedures.
Once an attacker gains access through this flaw, they can exploit the connection to FortiManager to access configuration files, steal sensitive data or potentially interact with all FortiGate devices managed by the compromised FortiManager instance.
The level of access that the attackers would gain is particularly dangerous because FortiManager serves as a central control platform for all connected FortiGate firewalls and other network security devices. According to Mandiant, the exploit has enabled attackers to extract data such as FortiGate configurations and hashed passwords, which could provide further opportunities for lateral movement or deeper network compromise. At this stage, the attackers could pivot their attack and attempt to move laterally into other internal systems.
Mitigation strategies and workarounds
- Apply the patch provided by Fortinet (see table below for affected versions and recommendations)
- Limit access to FortiManager admin portal for only approved internal IP addresses or avoid exposing FortiManager appliances to the public internet.
- Ensure strict whitelisting rules by allowing only permitted FortiGate addresses to communicate with FortiManager.
- Deny unknown FortiGate devices from being associated with FortiManager.
Fortinet provided configuration workarounds for administrators unable to apply the patch immediately, aimed at limiting unauthorized device access and enhancing security for impacted systems. For the best security, Fortinet urges users to upgrade to the fixed versions promptly and review the provided mitigations for any delayed updates.
Review your deployment for vulnerable versions and apply necessary actions per Fortinet’s recommendations:
Product Version
|
Affected Versions |
Recommendation
|
FortiManager 7.6 |
7.6.0 |
Upgrade to 7.6.1 or above |
FortiManager 7.4 |
7.4.0 through 7.4.4 |
Upgrade to 7.4.5 or above |
FortiManager 7.2 |
7.2.0 through 7.2.7 |
Upgrade to 7.2.8 or above |
FortiManager 7.0 |
7.0.0 through 7.0.12 |
Upgrade to 7.0.13 or above |
FortiManager 6.4 |
6.4.0 through 6.4.14 |
Upgrade to 6.4.15 or above |
FortiManager 6.2 |
6.2.0 through 6.2.12 |
Upgrade to 6.2.13 or above |
FortiManager Cloud 7.6 |
Not affected |
Not Applicable |
FortiManager Cloud 7.4 |
7.4.1 through 7.4.4 |
Upgrade to 7.4.5 or above |
FortiManager Cloud 7.2 |
7.2.1 through 7.2.7 |
Upgrade to 7.2.8 or above |
FortiManager Cloud 7.0 |
7.0.1 through 7.0.12 |
Upgrade to 7.0.13 or above |
FortiManager Cloud 6.4 |
6.4 all versions |
Migrate to a fixed release |
Securonix customers
In addition to Fortinet’s guidance, the Securonix ATS (Autonomous Threat Sweeper) will continue to monitor for known IOC, especially as more and more data comes to light. The Securonix Threat Research team is also monitoring this vulnerability closely and providing detections.
Relevant hunting queries
(remove square brackets “[ ]” for IP addresses or URLs)
- index = activity AND rg_functionality = “Next Generation Firewall” AND ipaddress IN (“149.28.206[.]153″,”104.238.141[.]143″,”45.32.63[.]2,”158.247.199[.]37″,”45.32.41[.]202″,”192.64.119[.]76″,”140.82.17[.]65″,”91.195.240[.]19”)
- index = activity AND rg_functionality = “Next Generation Firewall” AND (destinationhostname CONTAINS “ccwaterfall[.]com” OR destinationhostname CONTAINS “detankzone[.]com” )
C2 and infrastructure
C2 Address |
detankzone[.]com |
ccwaterfall[.]com |
149.28.206[.]153 |
104.238.141[.]143 |
45.32.63[.]2 |
158.247.199[.]37 |
45.32.41[.]202 |
192.64.119[.]76 |
140.82.17[.]65 |
91.195.240[.]19 |
Hashes:
SHA256 |
7353AB9670133468081305BD442F7691CF2F2C1136F09D9508400546C417833A |
59A37D7D2BF4CFFE31407EDD286A811D9600B68FE757829E30DA4394AB65A4CC |
References
- Investigating FortiManager Zero-Day Exploitation (CVE-2024-47575)
https://cloud.google.com/blog/topics/threat-intelligence/fortimanager-zero-day-exploitation-cve-2024-47575/
- FortiManager Zero-Day ‘FortiJump’ Is Now Publicly Addressed (CVE-2024-47575)
https://socradar.io/fortimanager-zero-day-fortijump-is-now-publicly-addressed-cve-2024-47575/
- Fortinet FortiManager CVE-2024-47575 Exploited in Zero-Day Attacks
https://www.rapid7.com/blog/post/2024/10/23/etr-fortinet-fortimanager-cve-2024-47575-exploited-in-zero-day-attacks/
- CVE-2024-47575 Detail
https://nvd.nist.gov/vuln/detail/CVE-2024-47575
- Missing authentication in fgfmsd
https://www.fortiguard.com/psirt/FG-IR-24-423