Threat Insight
UPDATED: Critical Fortinet Remote Code Execution ZeroDay Vulnerability
Fortinet has recently published advisory[1] about a new remote code execution (RCE) vulnerability affecting FortiManager and FortiManager Cloud. Which is caused by a missing authentication for critical function vulnerability [CWE-306] in FortiManager fgfmd daemon. If successfully exploited, an unauthenticated attacker could execute malicious commands on affected devices from a remote location.
CVE
CVE-2024-47575
Affected Products
FortiManager: 7.6.0 7.4.0 through 7.4.4 7.2.0 through 7.2.7 7.0.0 through 7.0.12 6.4.0 through 6.4.14 6.2.0 through 6.2.12 FortiManager Cloud 7.4.1 through 7.4.4 7.2.1 through 7.2.7 7.0.1 through 7.0.12 6.4 all versions
Exploitation
Fortinet reports that this exploit has been observed in the wild[1]. It has been added to the CISA database of known exploited vulnerabilities[2].
Recommended Actions
- Apply latest software updates provided by Fortinet, prioritizing affected versions under Affected Products.
- Enable fgfm-deny-unknown to prevent unknown devices to attempt to register.
- Whitelist the IP addresses of FortiGates that are allowed to connect.
Detection
Log entries: type=event,subtype=dvm,pri=information,desc=”Device,manager,generic,information,log”,user=”device,…”,msg=”Unregistered device localhost add succeeded” device=”localhost” adom=”FortiManager” session_id=0 operation=”Add device” performed_on=”localhost” changes=”Unregistered device localhost add succeeded” type=event,subtype=dvm,pri=notice,desc=”Device,Manager,dvm,log,at,notice,level”,user=”System”,userfrom=””,msg=”” adom=”root” session_id=0 operation=”Modify device” performed_on=”localhost” changes=”Edited device settings (SN FMG-VMTM23017412)” Serial Numbers: FMG-VMTM23017412 Outbound traffic to the following IP-Adresses: 45.32.41.202 104.238.141.143 158.247.199.37 45.32.63.2 Files: /tmp/.tm /var/tmp/.tm
References
[1]https://www.fortiguard.com/psirt/FG-IR-24-423
[2]https://www.cisa.gov/news-events/alerts/2024/10/23/cisa-adds-one-known-exploited-vulnerability-catalog