‘Act Now’: ACSC Issues Critical Alert Regarding FortiManager Vulnerability Exploitation
The Australian Cyber Security Center (ACSC) has issued a critical alert regarding a vulnerability in Fortinet FortiManager devices.
The vulnerability, CVE-2024-47575, allows malicious actors to access the FortiManager console, which is used to control security policies and firewalls.
❗ ALERT ❗ ASD ACSC is aware of a vulnerability affecting all versions of Fortinet’s FortiManager appliance. The vulnerability allows an unauthorized actor to access the FortiManager console (CVE-2024-47575).
For more information 👉 https://t.co/WXkFUzbt56 pic.twitter.com/3zuvowBf2s– Australian Signals Directorate (@ASDGovAu) October 23, 2024
“Missing authentication for critical function vulnerability [CWE-306] in FortiManager, the fgfmd daemon can allow an unauthenticated, remote attacker to execute arbitrary code or commands via crafted requests,” Fortinet said.
For the vulnerability to be exploited, a malicious actor would need a valid Fortinet device certificate, but that could come from a legitimate box and be used over and over again, according to Rob King, director of security research at runZero.
The ACSC assigned the vulnerability a CVSSv3 score of 9.8. He also said Fortinet was aware of cases where the vulnerability was actively exploited.
Cybersecurity firm Rapid7 said its customers had also found that the vulnerability could have been exploited.
“The identified actions of this savage attack consisted of automating via script the exfiltration of various files from the FortiManager, which contained the IP addresses, credentials and configurations of the managed devices,” Fortinet said.
Fortinet said users of FortiManager 7.6 and earlier should update immediately. Additionally, he said managers should be on the lookout for several indications and four IP addresses he identified as malicious.
“At this point, we have not received any reports of low-level malware installations or backdoors on these compromised FortiManager systems. To the best of our knowledge, there have been no indicators of modified databases or connections and changes to managed devices,” he said.