Details and Guidance on New “FortiJump” Vulnerability or CVE-2024-47575

Securonix Threat Research Security Advisory

Details and Guidance on New “FortiJump”
Vulnerability or CVE-2024-47575

Securonix Threat Research: Den Iuzvyk, Tim Peck
Detection Engineering: Abhishek Narasimhan

Hooded Hacker Holding a Fortninet Module

Last week, a critical vulnerability was identified affecting FortiManager deployments. The vulnerability was first identified being exploited in the wild by UNC5820 by a collaboration between Fortinet and Mandiant, leveraging it in attacks as early as June 27, 2024.

Fortinet released a patch for the vulnerability, designated CVE-2024-47575 on October 23, 2024, following private notifications to affected customers earlier in October. This patch addresses the critical vulnerability in both FortiManager and FortiManager Cloud versions. The vulnerability is tracked as CRITICAL and carries a CVSS score of 9.8:

CVE-2024-47575 Threat Warning from Tenable

Figure 1: CVE details – source tenable

Vulnerability details and scope

On , tracked as CVE-2024-47575 or “FortiJump”, according to Mandiant, organizations that may have their FortiManager exposed to the internet should conduct a forensic investigation immediately.

At the time of publication, there are still over 59,000 devices still exposed being tracked by shodan, a reduction of only about a thousand reported Wednesday of last week by SOC Radar.

Exposure map of top countries affected by FortiJump Threat

Figure 3: Exposed devices: Source shodan.io

Exploitation overview

The vulnerability CVE-2024-47575, also known as “FortiJump,” is a critical flaw in FortiManager that allows remote, unauthenticated attackers to execute arbitrary commands on the affected systems. This exploit stems from a missing authentication check in the FortiGate-FortiManager communication protocol (FGFM), specifically in the fgfmsd daemon, which handles communication between FortiManager and FortiGate devices. Without proper authentication mechanisms in place, this flaw allows an attacker to remotely interact with the FortiManager server by sending specially crafted requests which ends up bypassing typical user verification procedures​.

Once an attacker gains access through this flaw, they can exploit the connection to FortiManager to access configuration files, steal sensitive data or potentially interact with all FortiGate devices managed by the compromised FortiManager instance.

The level of access that the attackers would gain is particularly dangerous because FortiManager serves as a central control platform for all connected FortiGate firewalls and other network security devices. According to Mandiant, the exploit has enabled attackers to extract data such as FortiGate configurations and hashed passwords, which could provide further opportunities for lateral movement or deeper network compromise​. At this stage, the attackers could pivot their attack and attempt to move laterally into other internal systems.

Mitigation strategies and workarounds

  • Apply the patch provided by Fortinet (see table below for affected versions and recommendations)
  • Limit access to FortiManager admin portal for only approved internal IP addresses or avoid exposing FortiManager appliances to the public internet.
  • Ensure strict whitelisting rules by allowing only permitted FortiGate addresses to communicate with FortiManager.
  • Deny unknown FortiGate devices from being associated with FortiManager.

Fortinet provided configuration workarounds for administrators unable to apply the patch immediately, aimed at limiting unauthorized device access and enhancing security for impacted systems. For the best security, Fortinet urges users to upgrade to the fixed versions promptly and review the provided mitigations for any delayed updates.

Review your deployment for vulnerable versions and apply necessary actions per Fortinet’s recommendations:

Product Version

 

Affected Versions Recommendation

 

FortiManager 7.6 7.6.0 Upgrade to 7.6.1 or above
FortiManager 7.4 7.4.0 through 7.4.4 Upgrade to 7.4.5 or above
FortiManager 7.2 7.2.0 through 7.2.7 Upgrade to 7.2.8 or above
FortiManager 7.0 7.0.0 through 7.0.12 Upgrade to 7.0.13 or above
FortiManager 6.4 6.4.0 through 6.4.14 Upgrade to 6.4.15 or above
FortiManager 6.2 6.2.0 through 6.2.12 Upgrade to 6.2.13 or above
FortiManager Cloud 7.6 Not affected Not Applicable
FortiManager Cloud 7.4 7.4.1 through 7.4.4 Upgrade to 7.4.5 or above
FortiManager Cloud 7.2 7.2.1 through 7.2.7 Upgrade to 7.2.8 or above
FortiManager Cloud 7.0 7.0.1 through 7.0.12 Upgrade to 7.0.13 or above
FortiManager Cloud 6.4 6.4 all versions Migrate to a fixed release

Securonix customers

In addition to Fortinet’s guidance, the Securonix ATS (Autonomous Threat Sweeper) will continue to monitor for known IOC, especially as more and more data comes to light. The Securonix Threat Research team is also monitoring this vulnerability closely and providing detections.

Relevant hunting queries
(remove square brackets “[ ]” for IP addresses or URLs)

  • index = activity AND rg_functionality = “Next Generation Firewall” AND ipaddress IN (“149.28.206[.]153″,”104.238.141[.]143″,”45.32.63[.]2,”158.247.199[.]37″,”45.32.41[.]202″,”192.64.119[.]76″,”140.82.17[.]65″,”91.195.240[.]19”)
  • index = activity AND rg_functionality = “Next Generation Firewall” AND (destinationhostname CONTAINS “ccwaterfall[.]com” OR destinationhostname CONTAINS “detankzone[.]com” )

C2 and infrastructure

C2 Address
detankzone[.]com
ccwaterfall[.]com
149.28.206[.]153
104.238.141[.]143
45.32.63[.]2
158.247.199[.]37
45.32.41[.]202
192.64.119[.]76
140.82.17[.]65
91.195.240[.]19

 

Hashes:

SHA256
7353AB9670133468081305BD442F7691CF2F2C1136F09D9508400546C417833A
59A37D7D2BF4CFFE31407EDD286A811D9600B68FE757829E30DA4394AB65A4CC

References

  1. Investigating FortiManager Zero-Day Exploitation (CVE-2024-47575)
    https://cloud.google.com/blog/topics/threat-intelligence/fortimanager-zero-day-exploitation-cve-2024-47575/
  2. FortiManager Zero-Day ‘FortiJump’ Is Now Publicly Addressed (CVE-2024-47575)
    https://socradar.io/fortimanager-zero-day-fortijump-is-now-publicly-addressed-cve-2024-47575/
  3. Fortinet FortiManager CVE-2024-47575 Exploited in Zero-Day Attacks
    https://www.rapid7.com/blog/post/2024/10/23/etr-fortinet-fortimanager-cve-2024-47575-exploited-in-zero-day-attacks/
  4. CVE-2024-47575 Detail
    https://nvd.nist.gov/vuln/detail/CVE-2024-47575
  5. Missing authentication in fgfmsd
    https://www.fortiguard.com/psirt/FG-IR-24-423