Skip to content
Contact us

FortiJump Vulnerability Confirmed by Fortinet

Picture of The 1898 & Co. Team

Fortinet has confirmed the existence of a critical security flaw impacting their FortiManager products. The vulnerability is being actively exploitation in the wild.

Tracked as CVE-2024-47575 (CVSS score: 9.8), the vulnerability is also known as FortiJump and is a missing authentication vulnerability, rooted in the FortiManager fgfmd daemon that is responsible for the FortiGate to FortiManager (FGFM) protocol. Successful exploitation of the vulnerability may allow a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests.

The vulnerability impacts FortiManager versions 7.x, 6.x, FortiManager Cloud 7.x, and 6.x. Additionally, it affects the older FortiAnalyzer models 1000E, 1000F, 2000E, 3000E, 3000F, 3000G, 3500E, 3500F, 3500G, 3700F, 3700G, and 3900E (if they have the fgfm service enabled on at least one of the device’s interfaces)

Threats and Vulnerabilities

A search on the attack surface management company Shodan reveals that at time of writing, there are 4,081 exposed FortiManager admin portals online, with nearly 30% of them located in the U.S. Roughly 20% of the publicly accessible instances are associated with Microsoft Cloud.

Client Impact

The potential impact on clients, especially those in the industrial and energy sectors, is significant.

Considering the application of Fortinet solutions such as critical infrastructure, the ease of exploitation and the potential impact of a successful breach, the risk that CVE 2024-47575 poses should not be underestimated.

Exploiting the FortiManager vulnerability is appealing to the type of threat actors that are targeting large-scale enterprises and industrial organizations because of its potential for remote code execution. The potential impact of a successful exploit ranges from unauthorized access to internal system and exfiltration of proprietary information to disruption of production processes and all associated consequences.

Mitigations

The following are recommended fixes/remediations/workarounds for the FortiManager vulnerability:

  1. Upgrade to a fixed version of FortiManager.
  2. For FortiManager versions 7.0.12 or above, 7.2.5 or above, 7.4.3 or above (but not 7.6.0), prevent unknown devices to attempt to register:

    config system global
    (global)# set fgfm-deny-unknown enable
    (global)# end
  3. For FortiManager versions 7.2.0 and above, you may add local-in policies to whitelist the IP addresses of FortiGates that are allowed to connect.

    Example:

    config system local-in-policy

    edit 1
    set action accept
    set dport 541
    set src
    next
    edit 2
    set dport 541
    next
    end

  4. For 7.2.2 and above, 7.4.0 and above, 7.6.0 and above it is also possible to use a custom certificate (and install that certificate on FortiGates), which will mitigate the issue:

    config system global
    set fgfm-ca-cert
    set fgfm-cert-exclusive enable
    end
  5. For FortiManager versions 6.2, 6.4, and 7.0.11 and below, please upgrade to one of the versions above and apply the above workarounds.

Additionally, implementing strict access controls and multi-factor authentication for ICS environments, implementing security monitoring, conducting regular vulnerability assessments and penetration testing of ICS networks, and providing cybersecurity awareness training focused on ICS threats to relevant staff may provide greater protection. Establishing secure remote access methods for ICS maintenance and operations, and maintaining regular, offline backups of ICS configurations and data are additional mitigation approaches.

1898 & Co. Response

In response to the FortiManager threat, 1898 & CO has initiated a comprehensive strategy to protect our clients and contribute to the broader cybersecurity community. As an immediate step, our team is validating the existence of the FortiManager vulnerability of our Attack Surface Management customers and notifying/assisting affected customers to detect/irradiate/recover from the vulnerability.

In addition to working with our ASM customers, 1898 &Co. is conducting targeted threat hunts focused on identifying FortiManager vulnerabilities and any Indicator of Compromise (IOC) or other anomalies that may indicate exploitation of the vulnerabilities in all of our MSS customers environments.

Furthermore, we are performing in-depth vulnerability assessments on client ICS environments to identify and address potential weaknesses before they can be exploited. Our experts are working closely with clients to implement effective network segmentation and access control measures, crucial steps in containing and preventing adversaries from using vulnerabilities like the FortiManager to exploit and infiltrate their organization.

We are developing custom detection rules based on the FortiManager vulnerabilities to further enhance our clients' defensive capabilities.

Recognizing the importance of human factors in cybersecurity, we are providing tailored ICS security awareness training to our clients' personnel. This training focuses on recognizing and responding to potential threats specific to industrial control systems.

Lastly, we are actively collaborating with industry partners and contributing to threat intelligence sharing initiatives. This collaborative approach ensures that we remain at the forefront of emerging threats and can provide our clients with the most up-to-date protection strategies.

Sources

For more detailed information and technical resources, please refer to the following sources:

  1. CISA KEV: https://www.cisa.gov/news-events/alerts/2024/10/23/cisa-adds-one-known-exploited-vulnerability-catalog
  2. Shodan Search Engine: https://www.shodan.io/dashboard
  3. Fortinet Advisory: https://fortiguard.fortinet.com/psirt/FG-IR-24-423