Security operations · 1 MIN READ · GREG NOTCH · OCT 24, 2024 · TAGS: Cloud security / MDR
TL;DR
- Fortinet disclosed a zero-day vulnerability to its customers as of October 23, that CISA and AttackerKB have identified as already exploited in the wild
- The vulnerability targets FortiManager, Fortinet’s platform for managing deployments of firewalls
- The patch should be applied immediately, and if that’s not possible, be sure that the protocol isn’t exposed to the internet
What happened?
Fortinet disclosed a zero-day vulnerability—CVE-2024-47575—on October 23. This vulnerability affects FortiManager, Fortinet’s platform for managing deployments of FortiGate firewalls. CISA and AttackerKB have already identified the vulnerability as actively exploited in the wild. Mandiant observed the vulnerability as early as June of this year.
Why does it matter?
The vulnerability allows an unauthenticated attacker to arbitrarily execute commands on Fortinet firewall devices via FortiManager. Based on our understanding of the vulnerability, it’s used to add additional malicious devices to FortiManager for persistence, and access to a victim’s network. If you’re investigating for exploitation, you should be looking for unexpected devices added to FortiManager.
What should you do right now?
For Fortinet customers, the vulnerability exists in the call home protocol, which is used to manage the devices connected to FortiManager. This protocol is known as FortiGate to FortiManager (FGFM). A patch has recently been released for the vulnerability. However, if the patch can’t be applied, your organization should ensure that the protocol isn’t exposed to the internet. This can be disabled with the following commands:
config system global
set fgfm-deny-unknown enable
end
What next?
We’re keeping a close eye on this situation as it unfolds. We’ll update this post with big developments, but keep an eye on our socials (@ExpelSecurity) for additional recommendations as they emerge.
If you or your team have any additional questions regarding this vulnerability, and information regarding signs of exploitation, please reach out to us.
