NAVANEM
CVE-2024-47575⚡ exploited in the wild

Fortinet FortiManager, missing authentication on fgfmd (FortiJump)

A missing authentication for critical function vulnerability in Fortinet FortiManager allows a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests.

Overview

CVE-2024-47575, publicly tracked as FortiJump, is a critical missing authentication vulnerability in Fortinet FortiManager's FortiGate-to-FortiManager (FGFM) protocol. The vulnerability allows remote unauthenticated attackers to register rogue FortiGate devices and execute arbitrary commands against FortiManager instances. This vulnerability was exploited as a zero-day in the wild beginning at least June 27, 2024, approximately four months before public disclosure on October 23, 2024.

Technical Details

The FGFM protocol operates on TCP port 541 and facilitates communication between managed FortiGate devices and the central FortiManager. The critical flaw lies in FortiManager's failure to validate whether an incoming device connection is actually authorized before processing certain commands.

An attacker who can reach TCP/541 on a vulnerable FortiManager can:

  • Register a rogue FortiGate device without authentication
  • Query the FortiManager's device inventory
  • Exfiltrate configurations from all managed FortiGate firewalls
  • Trigger code paths leading to arbitrary command execution via specially crafted requests

Mandiant tracked exploitation activity under the threat cluster UNC5820, documenting attacks against multiple organizations' FortiManager instances.

Impact

The impact of this vulnerability is severe, particularly for Managed Service Providers (MSPs). FortiManager serves as the central administration plane for entire fleets of FortiGate firewalls. Successful exploitation grants attackers access to:

  • VPN preshared keys
  • Active Directory bind credentials
  • Internal network routing information
  • The ability to push malicious configurations to all managed devices

This represents a textbook supply-chain compromise scenario where a single FortiManager breach can cascade to every customer firewall under management. The vulnerability has been added to the CISA Known Exploited Vulnerabilities (KEV) catalogue.

Mitigation

  1. Apply patches immediately: Update to FortiManager versions 6.2.13, 6.4.15, 7.0.13, 7.2.8, 7.4.5, 7.6.1 or later. Equivalent fixes are available for FortiManager Cloud.

  2. Apply workaround if patching is delayed: Enable fgfm-deny-unknown via CLI:

    config system global
set fgfm-deny-unknown enable

    This rejects connections from devices not already in the manager's inventory.

  3. Network segmentation: Restrict TCP/541 access to trusted management networks only. Never expose this port publicly.

Detection

Organizations should hunt for the following Indicators of Compromise from Mandiant's analysis:

  • Serial number: FMG-VMTM23017412
  • IP addresses: 45.32.41.202, 158.247.199.37
  • Anomalous device-flag entries in the FortiManager device table

Review FortiManager logs for unexpected device registrations and configuration queries.