Fortinet has confirmed a critical vulnerability in one of its products and urged customers to immediately apply the released fix.
In one safety advicethe cybersecurity firm said it had discovered a bug in FortiManager that could allow threat actors to remotely execute arbitrary code or commands via specially crafted requests.
The bug is in FortiManager’s fgfmd daemon and has been added.
Critical vulnerability
The vulnerable versions are:
Fortinet 6.2.0 – 6.2.12, 6.4.0 – 6.4.14, 7.0.0 – 7.0.12, 7.2.0 -7.2.7, 7.4.0 – 7.44 and 7.6.0.
In addition, some versions of FortiManager Cloud would also be vulnerable: all 6.4 versions, 7.0.1 – 7.0.12, 7.2.1 – 7.2.7 and 7.4.1 – 7.4.4.
FortiManager Cloud 7.6 is not affected.
The bug is considered critical, with a severity score of 9.8. It is being tracked as CVE-2024-47575 and a fix is already available. Fortinet also said there are three possible solutions depending on the versions of software used.
Therefore, for FortiManager versions 7.0.12 or later, 7.2.5 or later, 7.4.3 or later (but not 7.6.0), users can prevent unknown devices from attempting to register “config system global”, “(global)# set fgfm -deny-unknown enable” or “(global)# end”.
For users of FortiManager version 7.2.0 and later, a workaround includes adding local-in policy to whitelist FortiGates IP addresses that are allowed to connect, while for 7.2.2 and later, 7.4.0 and above, 7.6.0 and above, it is possible to use a custom certificate, which fixes the problem.
The company claims the bug is already being exploited in the wild and is urging its customers to protect their premises.
“The identified actions of this attack in the wild were to automate via script the exfiltration of various files from the FortiManager containing the IPs, credentials and configurations of the managed devices,” the advisory reads.
“At this stage we have not received any reports of any system installations of malware or backdoors on these compromised FortiManager systems. To our knowledge, there is no evidence of modified databases, or connections and modifications to the managed devices.”