CVE
CVE-2024-47575
Affected Products
FortiManager: 7.6.0 7.4.0 through 7.4.4 7.2.0 through 7.2.7 7.0.0 through 7.0.12 6.4.0 through 6.4.14 6.2.0 through 6.2.12 FortiManager Cloud 7.4.1 through 7.4.4 7.2.1 through 7.2.7 7.0.1 through 7.0.12 6.4 all versions
Exploitation
Fortinet reports that this exploit has been observed in the wild[1]. It has been added to the CISA database of known exploited vulnerabilities[2].
Recommended Actions
- Apply latest software updates provided by Fortinet, prioritizing affected versions under Affected Products.
- Enable fgfm-deny-unknown to prevent unknown devices to attempt to register.
- Whitelist the IP addresses of FortiGates that are allowed to connect.
Detection
Log entries: type=event,subtype=dvm,pri=information,desc=”Device,manager,generic,information,log”,user=”device,…”,msg=”Unregistered device localhost add succeeded” device=”localhost” adom=”FortiManager” session_id=0 operation=”Add device” performed_on=”localhost” changes=”Unregistered device localhost add succeeded” type=event,subtype=dvm,pri=notice,desc=”Device,Manager,dvm,log,at,notice,level”,user=”System”,userfrom=””,msg=”” adom=”root” session_id=0 operation=”Modify device” performed_on=”localhost” changes=”Edited device settings (SN FMG-VMTM23017412)” Serial Numbers: FMG-VMTM23017412 Outbound traffic to the following IP-Adresses: 45.32.41.202 104.238.141.143 158.247.199.37 45.32.63.2 Files: /tmp/.tm /var/tmp/.tm
References
[1]https://www.fortiguard.com/psirt/FG-IR-24-423
[2]https://www.cisa.gov/news-events/alerts/2024/10/23/cisa-adds-one-known-exploited-vulnerability-catalog