FortiJump: A Major Zero-Day Vulnerability

When you get a zero-day vulnerability that is rated for CVSS v3 at 9.8, you take notice [here]:

The vulnerability -named FortiJump — relates to the FortiManager network management solution from Fortinet and is published as CVE-2024–47575. Within October, Mandiant [here] has been working with Fortinet on a mass exploitation of FortiManager — with more than 50 devices likely to have been exploited. It has been shown that the UNC5820 group [here] has been using the vulnerability to harvest user credentials and other device details.

On 27 June 2024, it was detected that multiple FortiManager devices logged an inbound connections from 45.32.41.202 on TCP port 541 (and which is the default port for FortiManager access. These accesses then left to access to a number of files, including: /var/dm/RCS (config files of managed devices); /var/dm/RCS/revinfo.db (further information on devices); /var/fds/data/devices.txt (IP address of FortiGate devices); /var/pm2/global.db (containing policies); and /var/old_fmversion (build information). After this, an exploit on FortiManager was discovered. The known malicious IP addresses are: 45.32.41.202, 104.238.141.143, 158.247.199.37 and 45.32.63.2.

A scan on Shodan with a banner hex value of 0xAB, identifies a number of possible devices that are exposed to the vulnerability:

Conclusions

Investigations are ongoing, so we should hear a great deal about this vulnerability over the next few days. The current advice is:

• Lock down access to FortiManager admin portal for trusted IP addresses.
• Make sure that only trusted FortiGate devices can communicate with FortiManager, and block unauthorized devices.