Cybersecurity company Fortinet released an advisory on CVE-2024-47575, a critical zero-day vulnerability impacting several versions of their FortiManager network management software.
The company says a missing authentication for critical function vulnerability [CWE-306] in FortiManager fgfmd daemon may allow a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests. The vulnerability has a CVSS v3 score of 9.8.
“Reports have shown this vulnerability to be exploited in the wild,” the October 23, 2024, advisory reads. “At this stage, we have not received reports of any low-level system installations of malware or backdoors on these compromised FortiManager systems. To the best of our knowledge, there have been no indicators of modified databases, or connections and modifications to the managed device.”
Fortinet had reportedly warned customers about the vulnerability last week. Since mid-October, the flaw has been discussed online.
“Australian organisations should review their networks for use of vulnerable instances of ForitManager devices and implement the mitigation advice provided by the vendor,” warns the Australian Cyber Security Centre.
The Fortinet advisory provides indicators of compromise, workarounds, and recovery methods.
Since 2002, at least eight documented Fortinet zero-days have been added to CISA’s KEV (Known Exploited Vulnerabilities) catalog. These include gaping holes in the FortiOS SSL-VPN, FortiOS and FortiOS sslvpnd.