Blog > Critical Vulnerabilities

Critical Security Vulnerability in FortiManager (score of 9.8) - CVE-2024-47575

A zero-day critical security vulnerability (score of 9.8 out of 10) has been identified in FortiManager, Fortinet's centralized management platform for FortiGate devices.

This RCE (Remote Code Execution ) vulnerability presents the risk that a malicious individual could remotely execute arbitrary code on a machine, without requiring authentication. For those who want to know more about RCE vulnerabilities, please consult this blog post.

 

Exploitation observed

The very first exploits of the zero-day vulnerability date back to June 2024. The only cases of active exploitation of the vulnerability involve a new cybercriminal group named UNC5820.

Systems affected

  • FortiManager Cloud 6.4 (all versions)

  • FortiManager 7.6.0

  • FortiManager 7.4.0 to 7.4.4

  • FortiManager 7.2.0 to 7.2.7

  • FortiManager 7.0.0 to 7.0.12

  • FortiManager 6.4.0 to 6.4.14

  • FortiManager 6.2.0 to 6.2.12

  • FortiManager Cloud 7.4.1 to 7.4.4

  • FortiManager Cloud 7.2.1 to 7.2.7

  • FortiManager Cloud 7.0.1 to 7.0.12

Older FortiAnalyzer models, including 1000E, 1000F, 2000E, 3000E, 3000F, 3000G, 3500E, 3500F, 3500G, 3700F, 3700G and 3900E, are also affected by this vulnerability if FortiManager is enabled.

 

Indicators of compromise (IOC)

The following IP addresses (IOC) have been involved in attempts to exploit this vulnerability.

  • 45.32.41.202

  • 104.238.141.143

  • 158.247.199.37

  • 45.32.63.2

  • 195.85.114.78

 

Recommendations

1 - Migrate to the following FortiManager versions:

  • FortiManager 7.6 : upgrade to 7.6.1 or higher

  • FortiManager 7.4: upgrade to 7.4.5 or higher

  • FortiManager 7.2: upgrade to 7.2.8 or higher

  • FortiManager 7.0: upgrade to 7.0.13 or higher

  • FortiManager 6.4 : upgrade to 6.4.15 or higher

  • FortiManager Cloud 7.4: upgrade to Cloud 7.4.5 or higher

  • FortiManager Cloud 7.2: upgrade to Cloud 7.2.8 or higher

  • FortiManager Cloud 7.0: upgrade to Cloud 7.0.13 or latest version

 

2 - Block the IOCs associated with the exploitation of this vulnerability.

3 - In addition to these recommendations, Streamscan strongly suggests that you implement the following measures to control access to all your security devices, such as firewalls:

  • Set up strict access control by explicitly indicating all your IP addresses that have the right to access these devices. Access will be denied to any other IP.

 

What Streamscan does to protect you

If you are a Streamscan partner:

  • We have set up a crisis unit to monitor this critical vulnerability. We will apply the appropriate response measures.

  • All the IP addresses (IOC) listed above are already part of the suspect systems monitored by our CDS technology.

  • Our DRG/MDR security monitoring team remains vigilant in monitoring your network.