iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
The Australian Cyber Security Centre (ACSC) has issued a critical alert for a vulnerability in Fortinet FortiManager devices.
The vulnerability, CVE-2024-47575, allows threat actors to gain access to the FortiManager console, which is used to control security policies and firewalls.
❗ ALERT ❗ ASD’s ACSC is aware of a vulnerability affecting all versions of Fortinet’s FortiManager device. The vulnerability enables an unauthorised actor to gain access to the FortiManager console (CVE-2024-47575).
For more information 👉 https://t.co/WXkFUzbt56 pic.twitter.com/3zuvowBf2s— Australian Signals Directorate (@ASDGovAu) October 23, 2024========================
“A missing authentication for critical function vulnerability [CWE-306] in FortiManager fgfmd daemon may allow a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests,” said Fortinet.
For the vulnerability to be abused, a threat actor would need a valid Fortinet device certificate, but this could be sourced from a legitimate box and used over and over, according to runZero director of security research Rob King.
The ACSC has allocated the vulnerability a CVSSv3 score of 9.8. It also said Fortinet is aware of instances where the vulnerability has been actively exploited.
Cyber security firm Rapid7 said its customers have also seen evidence that the vulnerability may have been exploited.
“The identified actions of this attack in the wild have been to automate via a script the exfiltration of various files from the FortiManager, which contained the IPs, credentials and configurations of the managed devices,” said Fortinet.
Fortinet said users of FortiManager 7.6 and below should update immediately. Additionally, it said managers should be on the lookout for several indications and four IP addresses it has identified as malicious.
“At this stage, we have not received reports of any low-level system installations of malware or backdoors on these compromised FortiManager systems. To the best of our knowledge, there have been no indicators of modified databases or connections and modifications to the managed devices,” it said.
Be the first to hear the latest developments in the cyber industry.
