cbcvebase.
CVE-2024-47575
published 2024-10-23

CVE-2024-47575: A missing authentication for critical function in FortiManager 7.6.0, FortiManager 7.4.0 through 7.4.4, FortiManager 7.2.0 through 7.2.7, FortiManager 7.0.0…

PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2024-11-13
Exploited in the wild
EPSS
94.76%
99.8th percentile
A missing authentication for critical function in FortiManager 7.6.0, FortiManager 7.4.0 through 7.4.4, FortiManager 7.2.0 through 7.2.7, FortiManager 7.0.0 through 7.0.12, FortiManager 6.4.0 through 6.4.14, FortiManager 6.2.0 through 6.2.12, Fortinet FortiManager Cloud 7.4.1 through 7.4.4, FortiManager Cloud 7.2.1 through 7.2.7, FortiManager Cloud 7.0.1 through 7.0.12, FortiManager Cloud 6.4.1 through 6.4.7 allows attacker to execute arbitrary code or commands via specially crafted requests.

Affected

18 ranges
VendorProductVersion rangeFixed in
fortinetfortimanager
fortinetfortimanager
fortinetfortimanager>= 6.2.0 < 6.2.136.2.13
fortinetfortimanager6.2.0 – 6.2.12
fortinetfortimanager>= 6.4.0 < 6.4.156.4.15
fortinetfortimanager6.4.0 – 6.4.14
fortinetfortimanager>= 7.0.0 < 7.0.137.0.13
fortinetfortimanager7.0.0 – 7.0.12
fortinetfortimanager>= 7.2.0 < 7.2.87.2.8
fortinetfortimanager7.2.0 – 7.2.7
fortinetfortimanager>= 7.4.0 < 7.4.57.4.5
fortinetfortimanager7.4.0 – 7.4.4
fortinetfortimanager_cloud6.4.1 – 6.4.7
fortinetfortimanager_cloud>= 7.0.1 < 7.0.137.0.13
fortinetfortimanager_cloud>= 7.2.1 < 7.2.87.2.8
fortinetfortimanager_cloud>= 7.4.1 < 7.4.57.4.5
fortinetfortimanagercloud
fortinetfortinet

Detection & IOCsextracted from sources · hover to see the quote

ip45.32.41.202
ip104.238.141.143
ip158.247.199.37
ip45.32.63.2
path/tmp/.tm
path/var/tmp/.tm
path/fds/data/unreg_devices.txt
path/fds/data/subs.dat.tmp
path/fds/data/subs.dat
  • Look for log entries showing an unregistered device named 'localhost' being added to FortiManager via the DVM subsystem — this is the attacker registering their rogue FortiGate device.
  • Look for log entries showing device settings being edited for the rogue serial number FMG-VMTM23017412, indicating post-exploitation API activity.
  • Check for the presence of /tmp/.tm and /var/tmp/.tm files on FortiManager systems; these are gzip archives used to stage exfiltrated data.
  • Monitor for attacker-controlled FortiGate/FortiManager-VM devices registering to exposed FortiManager servers from the observed Vultr-hosted IPs, particularly 45.32.41.202 which was the first observed attack source.
  • IP 104.238.141.143 has been recently associated with SuperShell C2 infrastructure; treat any FortiManager connections to/from this IP as high-severity.
  • Check /fds/data/subs.dat for attacker-controlled device registration artifacts including serial number, user ID, company name, and email address.
  • Exploitation requires a valid FortiGate certificate; monitor for unexpected or unknown FortiGate devices appearing in the Unregistered Devices section of FortiManager.
  • ·The Fortinet advisory is noted to be missing a critical exploitation prerequisite: attackers must first obtain a valid certificate from any owned or compromised Fortinet device (including FortiManager VM) before exploiting the authentication bypass.
  • ·The 'set fgfm-deny-unknown enable' workaround prevents unknown serial numbers from registering but does NOT fully remediate the vulnerability — if an attacker obtains a valid certificate, they may still exploit the flaw.
  • ·Fortinet confirmed no malware or backdoors were installed on compromised FortiManager systems and no database modifications or changes to managed devices were observed, but stolen config data (IPs, credentials, FortiOS256-hashed passwords) could enable downstream attacks.
  • ·Not all IOCs will be present on every exploited device; absence of listed indicators does not confirm a system is clean.
  • ·The FGFM protocol's NAT traversal design means a compromised managed FortiGate can be used to traverse up to the managing FortiManager and then laterally to other managed firewalls and networks — MSP environments are at elevated risk.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.