Exploitation of vulnerability affecting Fortinet FortiManager

24 Oct 2024 12:41 PM

The NCSC is encouraging UK organisations to take immediate action to mitigate a vulnerability affecting Fortinet FortiManager (CVE-2024-47575) and to follow the latest vendor advice.

What has happened?

Fortinet has published a security advisory detailing a missing authentication vulnerability affecting FortiManager.

CVE-2024-47575 may allow a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests.

Fortinet is aware of active exploitation of this vulnerability.

Who is affected?

Organisations using Fortinet FortiManager, FortiManager Cloud and older FortiAnalyzer models, with the FortiManager feature enabled, are vulnerable.

Exploitation

The vendor advisory highlights that attackers have used an automated script to exfiltrate various files from vulnerable FortiManager devices. These files contain IPs, credentials and configurations of the managed devices.

The NCSC is working to fully understand the UK impact and investigating cases of active exploitation affecting UK networks.

What should I do?

The NCSC recommends following vendor best practice advice to mitigate vulnerabilities. In this case, if you use an affected product, you should take these priority actions:

Undertake a compromise assessment using the IoCs available in the vendor advisory.
Monitor the vendor advisory and when a security update is available for your version, follow the recovery steps outlined to rebuild or reinitialise the device and change credentials and user-sensitive data, before installing the latest version.
If an update for your version isn’t currently available, install the vendor temporary mitigations. Once an update is available for your version, you should follow the vendor’s recovery steps (see above).
Carry out continuous monitoring and threat hunting activities. A report about this vulnerability is available to help organisations detect related activity.
If you suspect a compromise and are in the UK, report it to the NCSC.

More information and indicators of compromise (IoCs) are available in the vendor advisory.

Further NCSC resources

The NCSC provides a range of guidance, services and tools to help your organisation secure systems:

Follow NCSC guidance including vulnerability management and preventing lateral movement.
If your organisation is in the UK, you can sign up to the free NCSC Early Warning service to receive notifications of potential cyber threats on your network. If you are already an Early Warning user, please check your MyNCSC portal.
The NCSC Vulnerability Disclosure Toolkit helps organisations of all sizes with the essential components of implementing a vulnerability disclosure process.