Comprehensive technical analysis of FortiManager zero-day CVE-2024-47575 ("FortiJump") exploited by nation-states; understand impact and mitigation steps.

Continue reading
A critical zero-day vulnerability in Fortinet's FortiManager, dubbed `FortiJump` and tracked as CVE-2024-47575, has been actively exploited by nation-state actors to conduct espionage via Managed Service Providers (MSPs). The flaw allows attackers to execute arbitrary code or commands on FortiManager systems, potentially compromising managed FortiGate firewalls and downstream networks.
This comprehensive Threatfeed combines actionable insights from cybersecurity professional and official advisories to provide a detailed analysis of the vulnerability, its exploitation methods, affected versions, mitigation strategies, and the broader implications for organizations using Fortinet products.
FortiManager is a centralized management platform that enables organizations to manage multiple FortiGate firewalls and other Fortinet devices. It uses the FortiGate to FortiManager (FGFM) protocol to facilitate communication and management tasks, especially in environments with Network Address Translation (NAT).
Attackers must first obtain a valid certificate from any owned or compromised Fortinet device (e.g., FortiGate firewall, FortiManager VM).
The vulnerability lies in an authentication bypass within the FGFM API, enabling attackers to execute commands without proper authorization.
MSPs often use FortiManager to manage client networks. By exploiting this vulnerability, attackers can infiltrate MSPs and access their clients' networks, facilitating large-scale espionage.
Evidence suggests that nation-state actors are exploiting this vulnerability for espionage purposes.
Sensitive Information Exposure: Attackers can steal files containing configurations, IP addresses, and credentials of managed devices.
Unauthorized Access: Attackers can gain control over managed FortiGate devices, enabling them to alter configurations, deploy malicious policies, or disable security features.
7.6.0: Upgrade to 7.6.1 or above. 7.4.0 to 7.4.4: Upgrade to 7.4.5 or above. 7.2.0 to 7.2.7: Upgrade to 7.2.8 or above. 7.0.0 to 7.0.12: Upgrade to 7.0.13 or above. 6.4.0 to 6.4.14: Upgrade to 6.4.15 or above. 6.2.0 to 6.2.12: Upgrade to 6.2.13 or above.
7.4.1 to 7.4.4: Upgrade to 7.4.5 or above.
7.2.1 to 7.2.7: Upgrade to 7.2.8 or above.
7.0.1 to 7.0.12: Upgrade to 7.0.13 or above.
6.4 All Versions: Migrate to a fixed release.
Note: _As of the latest update, only versions 7.2.8 and 7.4.5 have patches available. Patches for other versions are expected to be released in the coming days._
1. Apply Patches
Install the latest patches provided by Fortinet for your specific version. Continuously monitor for new patches and updates, especially if your version's patch is pending.
2. Disable Automatic Registration of Unknown Devices Use set fgfm-deny-unknown enable to prevent devices with unknown serial numbers from registering with FortiManager. This setting may not be effective on versions 7.6.0 and 6.4.14.
3. Use Custom Certificates Deploy custom certificates for SSL tunnel authentication between FortiGate devices and FortiManager. If attackers obtain these certificates, they could still exploit the vulnerability.
4. Restrict IP Access
Configure FortiManager to accept connections only from trusted IP addresses of known FortiGate devices. Set up firewall rules to block unauthorized access to FGFM ports (TCP 541 for IPv4 and TCP 542 for IPv6).
Rogue devices may appear under the name "localhost" in the Unregistered Devices section.
Look for log entries indicating the addition or modification of devices without authorization.
Unregistered device "localhost" added. Device settings edited for a device with serial number resembling FMG-VMTM23017412.
Indicator Files: Presence of /tmp/.tm and /var/tmp/.tm may indicate exploitation.
Suspicious IP Addresses: Watch for connections from the following IPs associated with known attacks:
45.32.41.202
104.238.141.143 (associated with SuperShell C2 infrastructure)
158.247.199.37
45.32.63.2
Unusual Activity: Check for any abnormal configurations or policies pushed to FortiGate devices.
Long-Term Measures
Avoid Internet Exposure: Do not expose FGFM ports directly to the internet. Use VPNs or dedicated management networks.
NAT Considerations: Review NAT configurations to ensure they do not inadvertently expose FGFM services.
Multi-Factor Authentication (MFA): Implement MFA for administrative access to FortiManager.
Strong Password Policies: Enforce complex passwords and regular changes.
Configuration Reviews: Periodically audit FortiManager and FortiGate configurations for unauthorized changes.
Compliance Checks: Ensure adherence to security best practices and regulatory requirements.
Security Awareness: Educate staff about potential threats and encourage prompt reporting of suspicious activities.
Indicators of Compromise (IOCs)
Known Malicious IPs
45.32.41.202
104.238.141.143
158.247.199.37
45.32.63.2
Suspicious Serial Numbers
Devices registering with serial numbers like FMG-VMTM23017412.
Malicious Activities
Unregistered Devices Added: Devices named "localhost" appearing in FortiManager.
Configuration Changes: Unauthorized edits to device settings.
Presence of Specific Files: /tmp/.tm and /var/tmp/.tm.
Response from Fortinet and Community Reaction
Fortinet's Actions
Private Disclosure: Initially, Fortinet privately notified customers via emails starting October 13, 2024.
Public Advisory: On October 23, 2024, Fortinet publicly disclosed the vulnerability and released the advisory FG-IR-24-423.
Patches Released: Provided patches for versions 7.2.8 and 7.4.5, with more forthcoming.
Community Concerns
Lack of Transparency: Customers expressed frustration over the private disclosure, with some not receiving notifications.
Delayed Patching: Criticism over the time taken to release patches for all affected versions.
Past Incidents: Fortinet has previously faced scrutiny for similar handling of critical vulnerabilities.
Fortinet's Statement
Fortinet emphasized their commitment to responsible disclosure, aiming to protect customers by providing mitigation steps before public release. They are coordinating with government agencies and industry organizations as part of their response.
Broader Implications
Risk to Managed Service Providers (MSPs)
Supply Chain Attacks: Compromising an MSP can provide attackers access to multiple client networks.
Espionage Potential: Nation-state actors can leverage this vulnerability for intelligence gathering.
Prevalence of Exposed Devices
Shodan Data: Approximately 60,000 FGFM devices are internet-facing.
Geographical Distribution: Majority located in the United States.
Importance of Timely Patching
Exploitation Window: Delays in patching increase the risk of exploitation.
Historical Neglect: Previous vulnerabilities like CVE-2023-27997 remain unpatched in many systems.
Conclusion
The CVE-2024-47575 vulnerability in Fortinet's FortiManager is a critical security issue that demands immediate attention. The active exploitation by sophisticated threat actors underscores the importance of prompt patching, vigilant monitoring, and robust security practices.
Organizations using FortiManager and FortiGate products should:
Act Quickly: Apply patches or implement mitigations without delay.
Enhance Security Posture: Review and strengthen security configurations.
Stay Informed: Monitor official advisories and community discussions for updates.
By taking proactive measures, organizations can mitigate the risks posed by this vulnerability and protect their networks from potential espionage and cyber-attacks.
Additional Resources
Fortinet PSIRT Advisory: FG-IR-24-423
CISA Known Exploited Vulnerabilities Catalog: CISA KEV Catalog
Cybersecurity Community Discussions:
Reddit threads on Fortinet vulnerabilities.
Security researchers' analyses on platforms like Mastodon.
References
Fortinet Official Communications
Kevin Beaumont's Analysis on "FortiJump"
Lawrence Abrams' Reporting on BleepingComputer
Community Reports and Discussions

Splunk disclosed CVE-2026-20253, a critical pre-auth RCE flaw in Splunk Enterprise (CVSS 9.8) from insecure MongoDB defaults. Patches released; upgrade to 9.1.8, 9.2.5, or 9.3.2.