‘Act now’ – ACSC issues critical alert for exploited FortiManager vulnerability

The Australian Cyber Security Centre (ACSC) has issued a critical alert for a vulnerability in Fortinet FortiManager devices.

The vulnerability, CVE-2024-47575, allows threat actors to gain access to the FortiManager console, which is used to control security policies and firewalls.

You’re out of free articles for this month

Username or Email

Password Forgot password?

Keep me signed in on this device.

First Name

Last Name

Mobile

Organisation Type

By becoming a member, I agree to receive information and promotional messages from Cyber Daily. I can opt out of these communications at any time. For more information, please visit our Privacy Statement.

Need help signing up? Visit the Help Centre.

❗ ALERT ❗ ASD’s ACSC is aware of a vulnerability affecting all versions of Fortinet’s FortiManager device. The vulnerability enables an unauthorised actor to gain access to the FortiManager console (CVE-2024-47575).
For more information 👉 https://t.co/WXkFUzbt56 pic.twitter.com/3zuvowBf2s

— Australian Signals Directorate (@ASDGovAu) October 23, 2024

“A missing authentication for critical function vulnerability [CWE-306] in FortiManager fgfmd daemon may allow a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests,” said Fortinet.

VIEW ALL

For the vulnerability to be abused, a threat actor would need a valid Fortinet device certificate, but this could be sourced from a legitimate box and used over and over, according to runZero director of security research Rob King.

The ACSC has allocated the vulnerability a CVSSv3 score of 9.8. It also said Fortinet is aware of instances where the vulnerability has been actively exploited.

Cyber security firm Rapid7 said its customers have also seen evidence that the vulnerability may have been exploited.

“The identified actions of this attack in the wild have been to automate via a script the exfiltration of various files from the FortiManager, which contained the IPs, credentials and configurations of the managed devices,” said Fortinet.

Fortinet said users of FortiManager 7.6 and below should update immediately. Additionally, it said managers should be on the lookout for several indications and four IP addresses it has identified as malicious.

“At this stage, we have not received reports of any low-level system installations of malware or backdoors on these compromised FortiManager systems. To the best of our knowledge, there have been no indicators of modified databases or connections and modifications to the managed devices,” it said.

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

You need to be a member to post comments. Become a member for free today!

newsletter

Be the first to hear the latest developments in the cyber industry.

‘Act now’ – ACSC issues critical alert for exploited FortiManager vulnerability

Daniel Croft

OUR PLATFORMS AND BRANDS

EVENTS AND SUMMITS

PODCASTS

LEARNING AND EDUCATION

MOMENTUM MARKETS NETWORK

LINKS

STAY CONNECTED