Cybersecurity Threat Advisory: FortiManager API vulnerability exploited

Fortinet has publicly disclosed a vulnerability in the FortiManager API. The vulnerability, tracked as CVE-2024-47575 and dubbed ‘FortiJump,’ has been exploited as a zero-day since at least June 2024. Organizations using vulnerable FortiManager versions should review this Cybersecurity Threat Advisory and apply the necessary patches to secure their environments.

What is the threat?

The FortiGate to FortiManager (FGFM) protocol vulnerability has a CVSS score of 9.8 and permits unauthorized API calls from attacker-controlled devices, potentially using compromised certificates. By exploiting this flaw, attackers can register unauthorized FortiManager VMs to target FortiManager servers, exfiltrating configuration data that could lead to lateral movements within networks. Attackers leverage files storing serial numbers, user IDs, and email addresses tied to attacker-controlled devices, facilitating further intrusion if left unmitigated. The affected versions of FortiManager are listed below:

• FortiManager 7.6.0, 7.4.0 through 7.4.4, 7.2.0 through 7.2.7, 7.0.0 through 7.0.12
• FortiManager 6.4.0 through 6.4.14
• FortiManager 6.2.0 through 6.2.12
• FortiManager Cloud 7.4.1 through 7.4.4
• FortiManager Cloud 7.2.1 through 7.2.7
• FortiManager Cloud 7.0.1 through 7.0.12
• FortiManager Cloud 6.4 all versions

Why is this noteworthy?

‘FortiJump’ has been actively exploited by threat actors. This vulnerability is significant due to its high severity, widespread impact, and potential for severe consequences. Successful exploitation can lead to data exfiltration, network disruption, and lateral movement within an organization’s network. Given the severity of the vulnerability and the ongoing exploitation attempts, it is imperative for organizations to prioritize patching their FortiManager devices to mitigate the risks associated with this threat.

What is the exposure or risk?

This vulnerability stems from a missing authentication flaw in the FortiGate to FortiManager (FGFM) API, allowing unauthenticated attackers to execute arbitrary commands on FortiManager servers via crafted API requests. This provides attackers with unauthorized access to sensitive configuration data about managed FortiGate devices, including credential hashes, posing severe risks to the security of organizations using the affected versions of FortiManager.

What are the recommendations?

Barracuda recommends the following actions to limit the impact of FortiJump:

• Apply the latest security patches and updates from Fortinet.
• Implement network segmentation to isolate the FortiManager device from other critical systems.
• Deploy intrusion detection systems (IDS) solutions to monitor network traffic for signs of malicious activity.
• Use advanced security platforms, such as Barracuda XDR Network Security, to analyze logs and detect anomalies that may indicate an attack.

References

For more in-depth information about the recommendations, please visit the following links:

• https://www.bleepingcomputer.com/news/security/fortinet-warns-of-new-critical-fortimanager-flaw-used-in-zero-day-attacks/

If you have any questions about this Cybersecurity Threat Advisory, please contact Barracuda XDR’s Security Operations Center.