- Home
- Alerts & Advisories
- Alerts
- Active Exploitation of a Critical Vulnerability in FortiManager
Alerts
Active Exploitation of a Critical Vulnerability in FortiManager
24 October 2024
Fortinet has released security updates addressing a critical vulnerability (CVE-2024-47575) in FortiManager. The vulnerability has a Common Vulnerability Scoring System (CVSSv3.1) score of 9.8 out of 10 and is reportedly being actively exploited.
Successful exploitation of the critical function vulnerability could allow a remote unauthenticated attacker to send specially crafted requests to perform arbitrary code or commands execution.
The critical vulnerability affects the following product versions:
• FortiManager version 7.6.0
• FortiManager version 7.4.0 to 7.4.4
• FortiManager version 7.2.0 to 7.2.7
• FortiManager version 7.0.0 to 7.0.12
• FortiManager version 6.4.0 to 6.4.14
• FortiManager version 6.2.0 to 6.2.12
• FortiManager Cloud version 7.4.1 to 7.4.4
• FortiManager Cloud version 7.2.1 to 7.2.7
• FortiManager Cloud version 7.0.1 to 7.0.12
• FortiManager Cloud version 6.4.x
Users and administrators of affected product versions are advised to update to the latest version immediately.
Administrators may also wish to consider scanning the Indicators of Compromise (IOCs) associated to the exploitation of the vulnerability.
Table of Indicators of Compromise (IOCs)
Type of IOC | IOC |
|---|---|
Log Entry | type=event,subtype=dvm,pri=information,desc="Device,manager,generic,information,log", user="device,...",msg="Unregistered device localhost add succeeded" device="localhost" adom="FortiManager" session_id=0 operation="Add device" performed_on="localhost" changes="Unregistered device localhost add succeeded" |
Log Entry | type=event,subtype=dvm,pri=notice,desc="Device,Manager,dvm,log,at, |
IP Address | 45[.]32[.]41[.]202 |
IP Address | 104[.]238[.]141[.]143 |
IP Address | 158[.]247[.]199[.]37 |
IP Address | 45[.]32[.]63[.]2 |
Serial Number | FMG-VMTM23017412 |
File | /tmp/.tm |
File | /var/tmp/.tm |
If your organisation discovers any of these IOCs present in your network, administrators are advised to install a fresh FortiManager Virtual Machine or re-initialise a hardware model, either by adding/discovering devices or restoring a backup taken before the IOC detection. Alternatively, administrators may choose to manually verify the current configuration and either restore/copy the components or configuration sections from a compromised FortiManager or restore a backup from it. Further instructions can be found in the following link: https://www.fortiguard.com/psirt/FG-IR-24-423.
Additionally, organisations are encouraged to report the incident to SingCERT at
https://www.csa.gov.sg/reporting
More information is available here:
https://www.fortiguard.com/psirt/FG-IR-24-423
https://nvd.nist.gov/vuln/detail/CVE-2024-47575